This recipe describes how to set up FortiAuthenticator to function as a RADIUS server for FortiGate SSL VPN authentication. It involves adding users to FortiAuthenticator, setting up the RADIUS client on the FortiAuthenticator, and then configuring the FortiGate to use the FortiAuthenticator as a RADIUS server.
Watch the video
1. Creating the User(s) on FortiAuthenticator |
|
|
From the FortiAuthenticator GUI, go to Authentication > User Management > Local Users, and select Create New. Enter a name for the user (in the example, ckent), enter and confirm a password, and select OK. Select OK again to bypass optional settings. |
 |
|
Next, go to Authentication > User Management > User Groups, and add a user group for the FortiGate users. Add the desired users to the group. |
 |
2. Creating the RADIUS Client on FortiAuthenticator |
|
|
Go to Authentication > RADIUS Service > Clients, and select Create New. Enter a name for the RADIUS Client, set Client name/IP to the IP of the FortiGate, and set a Secret. The Secret is a pre-shared, secure password that the FortiGate will use to authenticate to the FortiAuthenticator. |
 |
|
Be sure to set Authentication method to Password-only authentication (exclude users without a password), and set Realms to local | Local users. |
 |
3. Connecting the FortiGate to the RADIUS Server |
|
|
From the FortiGate GUI, go to User & Device > Authentication > RADIUS Servers, and select Create New. |
|
|
Enter a name for the RADIUS server, enter the IP address of the FortiAuthenticator, and enter the Secret created before. Test the connectivity and enter the credentials for ‘ckent’. The test should come back with a successful connection. |
 |
4. Creating the RADIUS User Group on the FortiGate |
|
|
Go to User & Device > User > User Groups, and select Create New. |
|
|
Enter a name for the user group, and under Remote Groups, select Create New. |
 |
|
Select FAC-RADIUS under the Remote Server dropdown. |
 |
| FAC-RADIUS has been added to the RADIUS group. |  |
5. Configuring the SSL VPN |
|
|
From the FortiGate GUI, go to VPN > SSL > Portals, and edit the full-access portal. Disable Split Tunneling. |
 |
|
Go to VPN > SSL > Settings. Under Connection Settings set Listen on Port to 10443. Under Tunnel Mode Client Settings, select Specify custom IP ranges and set it to SSLVPN_TUNNEL_ADDR1. Under Authentication/Portal Mapping, select Create New. |
|
|
Assign the RADIUSgroup user group to the full-access portal, and assign All Other Users/Groups to the desired portal. |
 |
|
Select the prompt at the top of the screen to create a new SSL-VPN policy. Set Source User(s) to the RADIUSgroup user group. Set Outgoing Interface to wan1 and Destination Address to all. Set Service to ALL and ensure that you enable NAT. |
 |
6. Results |
|
|
From a remote device, access the SSL VPN Web Portal. Enter valid RADIUS credentials (in the example, ckent). |
 |
|
‘ckent’ is now successfully logged into the SSL VPN Portal. |
 |
|
From the FortiGate GUI, go to VPN > Monitor > SSL-VPN Monitor to confirm the connection. |
 |
The post RADIUS authentication for SSL VPN with FortiAuthenticator appeared first on Fortinet Cookbook.