SSLVPN with RADIUS using Active Directory and NPS

A common enterprise use case with remote access VPN is to authenticate users against a RADIUS service while distinguishing between multiple user groups. The backend this guide uses is Active Directory on Microsoft Windows Server 2012 R2 on which Microsoft's NPS (Network Policy Server) has been deployed to act as a corporate RADIUS AAA server.

Our configuration will implement the following simple requirements:

AD Group RADIUS Group Allowed Destinations
Domain Admins DomainAdmins 192.168.129.0/24
Domain Users DomainUsers 192.168.129.12/32
  • Users from Domain Admins should have access to subnet 192.168.129.0/24 in its entirety
  • All other users should only have access to a single host 192.168.129.12/32.
  • All users should have the same portal configuration
  • All users should receive a split-tunnel route for 192.168.0.0/16

This article uses FortiOS 6.0.2.


FortiOS SSLVPN Workflow

FortiOS has simplified mechanisms when it comes to authentication and authorization for VPN connectivity. The following table clarifies how SSL VPN is configured to allow specific interactions with clients:

SSLVPN Interaction Configuration required
Authentication: User can connect to portal (web) or network access The user must be a member of at least one group listed in the policy with the source interface set to “ssl.root”. Web or network access is governed by the assigned portal profile.
Authorization: User can send traffic and initiate connections to destinations The destination must be listed in a policy for which the source interface is “ssl.root”, the user is a member of the source user group and the destination is listed
Authorization: User is assigned a specific portal profile The portal profile is set as the default under SSL-VPN Settings, or an explicit portal mapping is made on that page for the user's group.

IPv4 Policies are central to defining authentication and authorization for SSL VPN and consolidate multiple steps that are often needed on other VPN platforms, where the permissions to connect and to access specific destinations is all completed using IPv4 policies. This provides simplicity when comes the time to understand network access permissions holistically on FortiOS, where the only place one has to look is the IPv4 Policy.


Configure Microsoft NPS

For the purpose of this configuration guide, we are assuming that NPS has been deployed based on Microsoft's recommended best practices (https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top).

Configure a client object

The client object designates the IP address used by the firewall to reach the RADIUS server and the shared secret used to secure RADIUS authentication.

Configure the Domain Admins network policy

With the client configured, we will configure two network policies, one for each group already designated:

Overview tab - default settings:

Conditions tab - our first policy is configured to match users that are members of the Domain Admins AD group:

Constraints tab - you can enable PAP if you wish to use the authentication testing features of FortiOS, as the testing feature resorts to PAP as an auth mechanism:

Settings tab - this tab represents the attributes that will be returned if the connection request is accepted. RADIUS supports a large number of standard attributes, and vendors like Fortinet have in addition designated vendor specific attributes. There are listed here: http://kb.fortinet.com/kb/viewContent.do?externalId=FD36919&sliceId=1.

VENDOR Fortinet 12356
BEGIN‐VENDOR Fortinet
ATTRIBUTE Fortinet‐Group‐Name 1 string
ATTRIBUTE Fortinet‐Client‐IP‐Address 2 ipaddr
ATTRIBUTE Fortinet‐Vdom‐Name 3 string
ATTRIBUTE Fortinet‐Client‐IPv6‐Address 4 octets
ATTRIBUTE Fortinet‐Interface‐Name 5 string
ATTRIBUTE Fortinet‐Access‐Profile 6 string
ATTRIBUTE Fortinet‐FAC‐Auth‐Status 11 string
ATTRIBUTE Fortinet‐FAC‐Token‐ID 12 string
ATTRIBUTE Fortinet‐FAC‐Challenge‐Code 15 string
ATTRIBUTE Fortinet‐Webfilter‐Category‐Allow 16 octets
ATTRIBUTE Fortinet‐Webfilter‐Category‐Block 17 octets
ATTRIBUTE Fortinet‐Webfilter‐Category‐Monitor 18 octets
ATTRIBUTE Fortinet‐AppCtrl‐Category‐Allow 19 octets
ATTRIBUTE Fortinet‐AppCtrl‐Category‐Block 20 octets
ATTRIBUTE Fortinet‐AppCtrl‐Risk‐Allow 21 octets
ATTRIBUTE Fortinet‐AppCtrl‐Risk‐Block 22 octets
ATTRIBUTE Fortinet‐WirelessController‐Device‐MAC 23 ether
ATTRIBUTE Fortinet‐WirelessController‐WTP‐ID 24 string
ATTRIBUTE Fortinet‐WirelessController‐Assoc‐Time 25 date
ATTRIBUTE Fortinet‐FWN‐AVPair 26 string
##
Integer Translations
#
END‐VENDOR Fortinet

In order to distinguish group membership for users establishing connections, we will use VSA attribute Fortinet-Group-Name (ID 1). As most RADIUS servers including NPS will attempt to match authentication policies in top-down sequence, the rules are generally configured from most-specific/highest-privilege at the top and least-specific/lowest-privilege at the bottom.

In the current rule for group Domain Admins, we will configured VSA vendor=12356,attribute=1 as a string with value “DomainAdmins”:

Press OK when completed to finish configuration for this policy.

Configure the Domain Users network policy

This policy is identical to the Domain Admins policy, with the following differences:

The AD group matched is Domain Users, for which we assign the value “DomainUsers” for the vendor specific attribute.


Configure FortiOS

Moving on to FortiOS, we will be configuring RADIUS authentication, the necessary groups, SSLVPN and finally the policies.

Configure RADIUS authentication

Under User&Device/RADIUS Server, create a new RADIUS server with the address or name of your NPS server along with the shared secret that was defined earlier for the client:

Proceed with testing the connectivity and if you enabled PAP authentication earlier, test with a user credential.

Configure Groups

To match a specific group being sent by our RADIUS server within the VSA Fortinet-Group-Name, we must create distinct groups of type “firewall” which will match on the string we configured on the NPS server for each group.

Under User&Device/User Groups, create a new group and set the remote server to the RADIUS server configured and Group Name to the string used earlier. Repeat this process twice, for each group as follows:

Configure SSLVPN

Under VPN/SSL-VPN Settings, ensure SSL VPN is configured to listen to the interface(s) on which users will connect. Server certificates can be configured at a later time - FortiOS defaults to using a self-signed certificate:

As all of our users will be inheriting the same portal object, we leave the portal mapping table empty with all entries mapped to portal configuration “full-access”.

Under VPN/SSL-VPN Portals, edit the parameters for portal “full-access”. We are configuring this portal profile for split-tunnel networking for network 192.168.0.0/16 and assigning users IP addresses from subnet 172.31.254.0/24:

Note that portal-level source IP pools take precedence over IP pools configured under SSL-VPN Settings.

Configure Policies

Under Policy&Objects, IPv4 Policy, configure a policy for each group, again in top-down approach from most-specific/highest-privilege at the top and least-specific/lowest-privilege at the bottom:

Users that are members of Domain Admins will match the rules associated with that group. Note that multiple rules can be configured and will be combined as the permissions for the users of this group. Users will however not inherit permissions from multiple groups since in this case FortiOS is unaware of the user group memberships other than what was returned through the RADIUS VSA. This model therefore commands that complete permissions be separately defined for each group. Its possible to combine multiple groups within the same rule to avoid creating excessively large numbers of rules. The following example shows a variety of policy arrangements: