Integration Guide for FortiGate VPN

Before starting, make sure GreenRADIUS is configured with users imported from your LDAP and can communicate with your FortiGate

Configuring GreenRADIUS for FortiGate VPN

In the GreenRADIUS web admin interface, add the FortiGate VPN as a RADIUS client.

1. Click the Domain tab
2. Click the domain name where you want to add the FortiGate VPN as a RADIUS client
3. Click the RADIUS Clients tab
4. Enter the IP address of the FortiGate. Then enter the same RADIUS secret twice. Then click the Add button.

Configuring the FortiGate VPN

Add GreenRADIUS as a RADIUS Server

1. Log in to FortiGate
2. Open the User & Authentication menu, select RADIUS Servers, and click the "+ Create New" button

3. Configure the following fields

   • Name: GreenRADIUS
   • Authentication method: Specify PAP
   • Primary Server IP/Name: [the IP address of GreenRADIUS]
   • Primary Server Secret: [the same RADIUS secret configured in GreenRADIUS for the FortiGate RADIUS client]

4. Use the Test Connectivity and Test User Credentials buttons to verify the above settings

5. Click OK

Create a user group

1. From the User & Authentication menu, select User Groups, and click the "+ Create New" button

2. Configure the following fields:
   • Name: [as desired, for example, "GRS Authentication"]
   • Type: Firewall
   • Members: [leave this field empty]
   • Remote Groups: Click the "+ Add" button, set Remote Server as "GreenRADIUS" and Groups as "Any"

3. Click OK
4. The new user group should now be listed

IPsec VPN Configuration

1. From the VPN menu, select IPsec Tunnels, and click the "+ Create New" button

2. Configure the following fields:
   • Name: [as desired]
   • Template type: Remote Access
   • Remote device type: FortiClient
3. Click Next

4. Configure the following fields:
   • Incoming Interface: [your WAN interface]
   • Authentication method: Pre-shared Key
   • Pre-shared key: [This is a credential for the VPN and should differ from any user password]
   • User Group: [select the one created above]
5. Click Next

6. Configure the following fields:
   • Local Interface: LAN
   • Local Address: [the local network address]
   • Client Address Range: [as desired]
   • Subnet Mask: [your subnet mask]
   • DNS Server: [as desired]
   • Enable IPv4 Split Tunnel: [as desired]
   • Allow Endpoint Registration: [as desired]
7. Click Next

8. In the Client Options section, set as desired, but we recommend not saving passwords especially if OTPs will be used as the second factor

9. Review the configuration, then create.

10. The IPsec integration with GreenRADIUS is now complete. In the FortiClient, the required settings are:

• VPN: IPsec VPN
• Remote Gateway: IP address or hostname of your FortiGate
• Authentication Method: Pre-shared key, and enter the key configured above
• Username: [username of the user logging in]

11. Try a login on the FortiClient

SSL VPN Configuration

Note: The same group configured above can be used

1. From the VPN menu, select SSL-VPN Settings
2. Configure the following fields:
   • Enable SSL VPN: Yes (green)
   • Listen on Interface(s): [as desired, for example, WAN]
   • Listen on Port: [as desired, for example, 10443]
   • Server Certificate: [If you have a server certificate, set it to the authentication certificate]
   • Under Authentication/Portal Mapping:
     • Edit "All Other Users/Groups" and set the Portal to "full-access"
     • Click "+ Create New" and create a mapping for the desired user group, setting the Portal to "full-access"

3. Click Apply
4. On the FortiClient, configure the required details below:
   • VPN: SSL VPN
   • Remote Gateway: [IP address or hostname of your FortiGate]
   • Customize port: [the port configured above]

5. Try a login on the FortiClient