Skip to Content

Solved: How do I restrict SSL VPN user to tunnel mode and web-mode in SSL VPN using Radius

This article provides an example of configuring SSL VPN user to restrict either to tunnel mode or web-mode in SSL VPN using Radius authentication.

Let user consider User A (Test-tunnel) to only access the tunnel mode of the SSL VPN and User B (Test-webmode) to access web mode only on the unit.

First, create a User group for Radius in the unit with specific radius group name in the group.

To configure the setup on GUI, go to User & Authentication -> User Group, select Create New+.

The Radius server would be mapped in the remote group and press the specific button to add the Radius group attribute in it.

A screenshot has been attached for reference for GUI.

Find the below configure to be performed from CLI.

Tunnel mode:

# config user group
edit "Test-rad-tunnel"
set member "10.100.4.117"
# config match
edit 1
set server-name "10.100.4.117"
set group-name "Test-tunnel"
next
end

Tunnel mode

Web mode:

# config user group
edit "Test-rad-webmode"
set member "10.100.4.117"
# config match
edit 1
set server-name "10.100.4.117"
set group-name "Test-webmode"
next
end

Web mode

Then, assign the user group to the appropriate SSL VPN profile in the authentication rule in the firewall policy.

To configure that on GUI, go to VPN-> SSL-VPN setting -> Authentication/Portal Mapping, select Create New.

A dropdown menu will appear, to select the require SSL VPN profile and User group.

# config vpn ssl settings
# config authentication-rule
edit 1
set groups "Test-rad-tunnel"
set portal "tunnel-access"
next
edit 2
set groups "Test-rad-webmode"
set portal "web-access"
next
end

A dropdown menu will appear, to select the require SSL VPN profile and User group.

The Radius server must be able to send the group-name attribute to the unit.

Only then, the unit would be able to filter the correct user group and assign the correct SSL VPN profile to the user for access.

It is possible to collect pcap’s from the firewall to verify if the server is sending the require Radius attribute.

To perform that, go to Network -> Packet Capture, selectCreate and set the port 1812 to filter Radius packets.

Below is screenshot of PCAP output where the Group name attribute is sent to firewall:

Screenshot of PCAP output where the Group name attribute is sent to firewall

To troubleshoot the issue on the unit for this, use the below command:

# di de reset
# di de app fnbamd -1
# di de app sslvpn -1
# di de en

Find a sample output for successfully authentication for SSL VPN below:

[1802] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[320] extract_success_vsas-FORTINET attr, type 1, val Test-tunnel
[1383] fnbamd_auth_handle_radius_result-->Result for radius svr '10.100.4.117' 10.100.4.117(1) is 0
[1653] fnbam_user_auth_group_match-req id: 1524376797, server: 10.100.4.117, local auth: 0, dn match: 0
[1622] __group_match-Group 'Test-rad-tunnel' passed group matching
[1625] __group_match-Add matched group 'Test-rad-tunnel'(2)
[277] find_matched_usr_grps-Passed group matching
[3409:root:16]deconstruct_session_id:709 decode session id ok, user=[test-tunnel], group=[Test-rad-tunnel],authserver=[10.100.4.117],portal=[tunnel-access],host[10.32.76.92],realm=[],csrf_token=[CECD4391B576F76D9957B963C6F8B78],idx=1,auth=2,sid=58ec7ff5,login=1659091670,access=1659091670,saml_logout_url=no,pip=10.32.76.92,grp_info=[SCGF9Y],rmt_grp_info=[em4f4W]
Tags

Tags

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.