SSL VPN with RADIUS and FortiToken mobile push on FortiAuthenticator

This is a sample configuration of SSL VPN that uses FortiAuthenticator as a RADIUS authentication server and FortiToken mobile button two-factor authentication. If yous enable push notifications, users can take or deny the authentication request.

Sample topology

Sample configuration

WAN interface is the interface connected to Isp. This case shows static mode. You can also use DHCP or PPPoE fashion. The SSL VPN connection is established over the WAN interface.

To configure FortiAuthenticator using the GUI:
  1. On the FortiAuthenticator, go to Arrangement > Administration > System Access and configure a Public IP/FQDN for FortiToken Mobile. If the FortiAuthenticator is behind a firewall, the public IP/FQDN will be an IP/port forwarding dominion directed to i of the FortiAuthenticator interfaces. The interface that receives the approve/deny FTM push button responses must have the FortiToken Mobile API service enabled.
  2. Add a FortiToken mobile license on the FortiAuthenticator:
    1. Become to Authentication > User Direction > FortiTokens.
    2. Click Create New.
    3. Set Token blazon to FortiToken Mobile and enter the FortiToken Activation codes.
  3. Create the RADIUS client (FortiGate) on the FortiAuthenticator:
    1. Go to Authentication > RADIUS Service > Clients to add the FortiGate as a RADIUS customer OfficeServer).
    2. Enter the FortiGate IP address and set a Surreptitious.

      The secret is a pre-shared secure password that the FortiGate uses to authenticate to the FortiAuthenticator.

    3. Fix Authentication method to Enforce two-factor authentication.
    4. Select Enable FortiToken Mobile push notifications authentication.
    5. Prepare Realms to local | Local users.
  4. Create a user and assign FortiToken mobile to the user on the FortiAuthenticator:
    1. Become to Authentication > User Management > Local Users to create a user sslvpnuser1.
    2. Enable Allow RADIUS hallmark and click OK to admission additional settings.
    3. Enable Token-based authentication and select to deliver the token lawmaking by FortiToken.
    4. Select the FortiToken added from the FortiToken Mobile dropdown bill of fare.
    5. Set Delivery method to Email and fill up in the User Information department.
    6. Become to Authentication > User Management > User Groups to create a grouping sslvpngroup.
    7. Add sslvpnuser1 to the group past moving the user from Available users to Selected users.
  5. Install the FortiToken mobile awarding on your Android or iOS smartphone.

    The FortiAuthenticator sends the FortiToken mobile activation to the user'south electronic mail address.

  6. Activate the FortiToken mobile through the FortiToken mobile application by entering the activation code or scanning the QR code.
To configure SSL VPN using the GUI:
  1. Configure the interface and firewall address. The port1 interface connects to the internal network.
    1. Go to Network > Interfaces and edit the wan1 interface.
    2. Ready IP/Network Mask to 172.20.120.123/255.255.255.0.
    3. Edit port1 interface and set IP/Network Mask to 192.168.1.99/255.255.255.0.
    4. Click OK.
    5. Go to Policy & Objects > Accost and create an address for internet subnet 192.168.one.0.
  2. Create a RADIUS user and user group:
    1. On the FortiGate, go to User & Authentication > RADIUS Servers to create a user to connect to the RADIUS server (FortiAuthenticator).
    2. For Proper name, apply FAC-RADIUS.
    3. Enter the IP accost of the FortiAuthenticator, and enter the Secret created above.
    4. Click Test Connectivity to ensure you tin can connect to the RADIUS server.
    5. Select Exam User Credentials and enter the credentials for sslvpnuser1.

      The FortiGate tin now connect to the FortiAuthenticator as the RADIUS client.

    6. Become to User & Authentication > User Groups and click Create New to map authenticated remote users to a user grouping on the FortiGate.
    7. For Name, use SSLVPNGroup.
    8. In Remote Groups, click Add.
    9. In the Remote Server dropdown list, select FAC-RADIUS.
    10. Exit the Groups field blank.
  3. Configure SSL VPN web portal:
    1. Go to VPN > SSL-VPN Portals to edit the full-access portal.

      This portal supports both web and tunnel style.

    2. Disable Enable Dissever Tunneling so that all SSL VPN traffic goes through the FortiGate.
  4. Configure SSL VPN settings:
    1. Become to VPN > SSL-VPN Settings.
    2. Select the Listen on Interface(s), in this example, wan1.
    3. Set up Listen on Port to 10443.
    4. Ready Server Certificate to the hallmark document.
    5. Under Hallmark/Portal Mapping, set default Portal spider web-admission for All Other Users/Groups.
    6. Create new Hallmark/Portal Mapping for group sslvpngroup mapping portal full-access.
  5. Configure SSL VPN firewall policy:
    1. Go to Policy & Objects > Firewall Policy.
    2. Make full in the firewall policy name. In this example, sslvpn certificate auth.
    3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
    4. Set the Source Address to all and Source User to sslvpngroup.
    5. Set the Outgoing Interface to the local network interface and then that the remote user can access the internal network. In this example: port1.
    6. Prepare Destination Accost to the internal protected subnet 192.168.1.0.
    7. Prepare Schedule to ever, Service to ALL, and Action to Accept.
    8. Enable NAT.
    9. Configure any remaining firewall and security options as desired.
    10. Click OK.
To configure SSL VPN using the CLI:
  1. Configure the interface and firewall address:
    config organisation interface      edit "wan1"         fix vdom "root"         gear up ip 172.twenty.120.123 255.255.255.0     next end
  2. Configure internal interface and protected subnet, so connect the port1 interface to the internal network:
    config system interface     edit "port1"         set vdom "root"         set ip 192.168.1.99 255.255.255.0     next cease
    config firewall address     edit "192.168.1.0"         set subnet 192.168.ane.0 255.255.255.0     next finish
  3. Create a RADIUS user and user group:
    config user radius     edit "FAC-RADIUS"         ready server "172.xx.120.161"         ready undercover <FAC client secret>     next finish            
    config user group     edit "sslvpngroup"         prepare fellow member "FAC-RADIUS"     next stop
  4. Configure SSL VPN spider web portal:
    config vpn ssl spider web portal     edit "total-admission"         set tunnel-fashion enable         fix web-mode enable         set ip-pools "SSLVPN_TUNNEL_ADDR1"         set split-tunneling disable      adjacent stop
  5. Configure SSL VPN settings:
    config vpn ssl settings     set servercert "server_certificate"     prepare tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"     set source-interface "wan1"     set source-address "all"     set default-portal "web-access"     config hallmark-rule         edit one             ready groups "sslvpngroup"             set up portal "total-admission"         next             stop stop
  6. Configure one SSL VPN firewall policy to let remote user to access the internal network:
    config firewall policy      edit 1         set proper name "sslvpn spider web style access"         set srcintf "ssl.root"         set dstintf "port1"         set up srcaddr "all"         set dstaddr "192.168.1.0"         prepare groups "sslvpngroup"         set action have         gear up schedule "e'er"         set service "ALL"         fix nat enable     next end
To see the results of web portal:
  1. From a remote device, apply a spider web browser to log into the SSL VPN web portal http://172.20.120.123:10443.
  2. Log in using the sslvpnuser1 credentials.

    The FortiAuthenticator pushes a login asking notification through the FortiToken Mobile application.

  3. Cheque your mobile device and select Approve.

    When the authentication is approved, sslvpnuser1 is logged into the SSL VPN portal.

  4. On the FortiGate, go to Dashboard > Network and aggrandize the SSL-VPN widget to verify the user'southward connection.
To see the results of tunnel connexion:
  1. Download FortiClient from www.forticlient.com.
  2. Open the FortiClient Console and go to Remote Admission > Configure VPN.
  3. Add a new connection:
    1. Set the connectedness proper noun.
    2. Set Remote Gateway to the IP of the listening FortiGate interface, in this instance: 172.20.120.123.
    3. Select Customize Port and prepare it to 10443.
  4. Save your settings.
  5. Log in using the sslvpnuser1 credentials and click FTM Push.

    The FortiAuthenticator pushes a login asking notification through the FortiToken Mobile application.

  6. Check your mobile device and select Approve.

    When the authentication is approved, sslvpnuser1 is logged into the SSL VPN tunnel.

To check the SSL VPN connection using the GUI:
  1. Become to Dashboard > Network and expand the SSL-VPN widget to verify the user's connection.
  2. Get to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
To cheque the web portal login using the CLI:
get vpn ssl monitor SSL VPN Login Users:  Index   User          Auth Type   Timeout   From           HTTP in/out   HTTPS in/out  0       sslvpnuser1   ane(1)        229       10.1.100.254   0/0           0/0  SSL VPN sessions:  Index   User    Source IP      Duration        I/O Bytes       Tunnel/Dest IP
To check the tunnel login on CLI:
get vpn ssl monitor SSL VPN Login Users:  Index   User          Auth Type    Timeout   From           HTTP in/out  HTTPS in/out  0       sslvpnuser1   1(1)         291       ten.one.100.254   0/0          0/0  SSL VPN sessions:  Index   User          Source IP      Duration    I/O Bytes      Tunnel/Dest IP   0       sslvpnuser1   10.i.100.254   9           22099/43228    x.212.134.200