AnsweredHot!remote access

Author
suthomas1
Bronze Member
  • Total Posts : 32
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/05/07 06:08:23
  • Status: offline
2019/01/21 05:51:39 (permalink)
0

remote access

All,
In setting up a fortigate unit for remote users to access local lan of our enterprise,
3 vdom has been used with vdoms serving 3 causes - vpn termination, secure vdom & root.
vpn vdom has virtual links created to vpn vdom & secure vdom.
Question is:-
1) for users authentication with radius, will it be using vpn vdom or root vdom?
2) If vpn vdom , how will the routes be towards the inside to reach authentication server?

please help. thank you.
#1
Toshi Esumi
Expert Member
  • Total Posts : 1569
  • Scores: 132
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: remote access 2019/01/21 09:17:22 (permalink) ☄ Helpfulby suthomas1 2019/01/21 17:48:43
0
RADIUS server is configured at each vdom. The other vdoms don't know or don't care what is the RAIUS IP another vdom has. The vpn vdom needs to have a route to get to the RADIUS server you configured regardless if it's over the internet or internal interface. If the internal interface is not attached to the vdom but attached to another vdom, you need to have a vdom-link then a route toward the vdom that has the internal interface.
#2
suthomas1
Bronze Member
  • Total Posts : 32
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/05/07 06:08:23
  • Status: offline
Re: remote access 2019/01/21 18:02:02 (permalink)
0
thanks for the response. if the route needs to be via management interface , does it matter if the management interface resides in root and not on the actual remote access termination vdom?
 
#3
Toshi Esumi
Expert Member
  • Total Posts : 1569
  • Scores: 132
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: remote access 2019/01/21 19:04:21 (permalink)
0
Do you mean "management interface" as an interface you use for management access, like https and ssh? If so, management access can be any interface at any vdom. As long as your admin privilege is "suer_admin"  you can hop around vdoms as well as global.
#4
suthomas1
Bronze Member
  • Total Posts : 32
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/05/07 06:08:23
  • Status: offline
Re: remote access 2019/01/21 19:09:54 (permalink)
0
Yes, one of the interface that is labelled as management on the device itself.is that the case?
#5
Toshi Esumi
Expert Member
  • Total Posts : 1569
  • Scores: 132
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: remote access 2019/01/21 20:51:34 (permalink) ☄ Helpfulby suthomas1 2019/01/21 22:32:33
0
There are different ways to set up MGMT interface(s), like below cookbook for 6.0 or in another thread in the past. Regardless, if management access is limited to one vdom or allowing global access is decided by "account profile" of admin config ("set scope" in the profile it's referring to) of the admin user, not by the interface. 
https://cookbook.fortinet.com/vdom-configuration-60/
 
https://forum.fortinet.com/tm.aspx?m=148995
 
#6
suthomas1
Bronze Member
  • Total Posts : 32
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/05/07 06:08:23
  • Status: offline
Re: remote access 2019/01/21 22:32:36 (permalink)
0
thanks, this particular client doesn't use seperate vdom for mgmt. Instead the dedicated mgmt port is utilised for mgmt purpose.
Do i need rules to allow traffic over vdom links? and will there be routing on both remote access, secure & root vdom for passing the request across to radius server.
This is how our client wants it.
 
Remote access vdom - secure vdom - (Network/radius)
 
secure vdom connects to secure portion of network from where radius is reachable.
so should the final routing be done from secure or root vdom?
 
#7
Toshi Esumi
Expert Member
  • Total Posts : 1569
  • Scores: 132
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: remote access 2019/01/22 08:06:17 (permalink) ☄ Helpfulby suthomas1 2019/01/24 21:18:15
0
If the MGMT interface belongs to root vdom and a RADIUS that authenticate admin users is reachable only from "secure" vdom, there needs to be a set of vdom_link, routes and policies at both vdoms obviously, just like connecting two routers/FWs together and both sides are connected at each router/FW.
If you move the MGMT interface to "secure" vdom, all happens inside one vdom and you can eliminate most of above.
 
#8
suthomas1
Bronze Member
  • Total Posts : 32
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/05/07 06:08:23
  • Status: offline
Re: remote access 2019/01/24 21:21:58 (permalink)
0
how do you do that moving of mgmt interface to "secure vdom". i have tried but do not see the option of changing it.
Also, in "test connectivity" option for radius it asks for a username & password. does that username & password have to be on radius server , i assumed only server secret is the one defined on radius server? we are seeing "server unreachable error" when testing with dummy credential.
 
Please help. Thanks.
 
 
post edited by suthomas1 - 2019/01/24 21:26:38
#9
Toshi Esumi
Expert Member
  • Total Posts : 1569
  • Scores: 132
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: remote access 2019/01/24 21:33:03 (permalink) ☄ Helpfulby suthomas1 2019/01/24 22:21:26
0
If the "mgmt" interface is referred at somewhere, you might not see the vdom changeable at the GUI in the cookbook I posted before. You have to remove all references first including policy, static routes, etc.
If you want to move RADIUS config to root, you need to move the current interface in "secure vdom" connecting to the RADIUS to root vdom as well. Otherwise you have to set all routes and policies at two vdoms over a vdom_link.
It's simple and easy. I wouldn't move what you have now and I would just set up routing over vdom_link.
#10
suthomas1
Bronze Member
  • Total Posts : 32
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/05/07 06:08:23
  • Status: offline
Re: remote access 2019/01/24 22:21:51 (permalink)
0
Thanks again.
In "test connectivity" option for radius it asks for a username & password. does that username & password have to be on radius server , i assumed only server secret is the one defined on radius server?
#11
Toshi Esumi
Expert Member
  • Total Posts : 1569
  • Scores: 132
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: remote access 2019/01/24 23:52:51 (permalink) ☄ Helpfulby suthomas1 2019/01/26 05:29:35
0
Supposed to be the admin user name and password you want to authenticate with. However, GUI version of "test connectivity" doesn't actually show pass or fail of the user name/pass. If something comes back from RADIUS it would show "success" so not much better than just pinging the server from the outgoing interface. In other words, you can put a bogus username/password.
If you really want to "test RADIUS", you have to use a CLI:
# diag test authserver radius <server_name> pap "<user_name>" "<password>"
 
#12
suthomas1
Bronze Member
  • Total Posts : 32
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/05/07 06:08:23
  • Status: offline
Re: remote access 2019/01/26 05:31:45 (permalink)
0
Thanks again.
sorry , but where should that admin username & password be defined to use this test connectivity feature.
the connectivity server is radius server in this case. I have created a entry on the radius which recognises this fortigate's IP address & have specified a shared secret between them.
am i missing something?
 
#13
Toshi Esumi
Expert Member
  • Total Posts : 1569
  • Scores: 132
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: remote access 2019/01/27 20:53:31 (permalink) ☄ Helpfulby suthomas1 2019/01/28 16:13:02
0
At the RADIUS. From RADIUS view the FortiGate is one of NAS. You must have configured NAS(clients.conf) file. The user/pass are in users file.
#14
suthomas1
Bronze Member
  • Total Posts : 32
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/05/07 06:08:23
  • Status: offline
Re: remote access 2019/01/28 16:16:34 (permalink)
0
there is a user group in our AD which is "chemical engg unit". we want this user group to remote in using vpn client & then successfully get authenticated with Active directory. Is there any specific configuration required on the AD itself to recognise firewall trying to access it for this user mapping purpose?
 
 
#15
Toshi Esumi
Expert Member
  • Total Posts : 1569
  • Scores: 132
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: remote access 2019/01/28 16:28:02 (permalink) ☼ Best Answerby suthomas1 2019/01/28 19:15:45
0
Windows AD itself is not a RADIUS server but LDAP, unless you've set up Windows NPS as RADIUS as described below, or other way possible on Windows server.
https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top
But I'm not an expert for LDAP or Win NPS. So please ask somebody else for the detail if you can't easily find the same conversions on the forum or on the internet. There must be a lot of them available.
#16
suthomas1
Bronze Member
  • Total Posts : 32
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/05/07 06:08:23
  • Status: offline
Re: remote access 2019/01/28 19:19:17 (permalink)
0
Thank you.
another question, which interface does the remote access users vpn request via forticlient come in?
Is it on the usual internet facing link or is there a separate interface that does this job (either created by us or by fortigate unit itself). we came across a blog where there was an incoming interface "vpn" and outgoing interface as "wan". Just trying to understand this.
(in our case , its only one internet interface & we believe that will be incoming interface where remote users will come in from).
 
Please help.
 
#17
Toshi Esumi
Expert Member
  • Total Posts : 1569
  • Scores: 132
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: remote access 2019/01/29 08:41:14 (permalink)
0
You answered your question yourself. If you traceroute from the internet toward the server IP of the VPN you would see how it gets to the public IP. FGT won't (be able to) generate any publicly accessible IP by itself. You must have configured.
#18
Jump to:
© 2019 APG vNext Commercial Version 5.5