Example Integration

VPN SERVER CONFIGURATION

Fortigate SSL VPN Integration

Adding a Radius Server

We add Coslat as RADIUS Server to enable two factor authentication (2FA) in the Fortigate SSL VPN. For this;

Click User & Device -> RADIUS Servers -> Create New button.

Coslat 2fa

Name: Descriptive name (Coslat)

Primary Server IP / Name: Coslat 2FA ip address.

Primary Server Secret: coslat (We enter the Client Shared Secret that you defined when adding NAS / Client in Coslat 2FA.

Coslat 2fa

We click Test Connectivity to check the settings.

User: Username we opened on Coslat 2FA.

Password: The password of the user in Coslat 2FA.

We click on the test button.

Coslat 2fa

If we get the result below, our settings are correct and communication is provided.

Coslat 2fa

Adding a User Group

We add an SSL VPN user group to define the required permissions. We click User & Device -> User Groups -> Create New.

Coslat 2fa

Name: Descriptive name (Coslat_SSL_Group)

Type: Firewall

Remote Groups: We click Create New here.

Coslat 2fa

In the Add Group Match section, we choose which authentication server the users included in this group will come from.

(NOTE: If a group information will come from the server together with the remote server, we can select it here. You can assign special groups to users with + Users Attribute in the Users tab in the Coslat and you can match these groups here and apply different rules on fortigate.)

Remote Server: COSLAT 2FA

Coslat 2fa

Click OK and add the group.

Setting up the Group on VPN

We add the group we created to the SSL-VPN settings.

VPN -> SSL-VPN We click Settings.

Click Authentication / Portal Mapping -> Create New.

Coslat 2fa

Users / Groups: We select Coslat_SSL_Group that we created before.

Portal: We choose the portal we want to use.

Coslat 2fa

Click Apply and save the settings.

Firewall Policy Settings

Firewall rules must be defined for the VPN users to access the internal network and the internet.

For Access to Local Network;

Click Policy & Objects -> IPv4 Policy -> Create New.

Name: Descriptive name (SSL_VPN_Users)

Incoming Interface: SSL-VPN Tunnel Interface (ssl.root)

Outgoing Interface: LAN

Source: SSLVPN_TUNNEL_ADDR1 and we add the group we created earlier. (Coslat_ssl_group)

(NOTE: When adding groups here, we can apply different rules if there are different groups we match with Add Group Match.)

Destination Address: We specify the target to be reached in the internal network. (ALL)

Service: We choose which ports will be accessed. (ALL)

Coslat 2fa

VPN users for Internet Access;

Click Policy & Objects -> IPv4 Policy -> Create New.

Name: Descriptive name (SSL_VPN_Users)

Incoming Interface: SSL-VPN Tunnel Interface (ssl.root)

Outgoing Interface: WAN

Source: SSLVPN_TUNNEL_ADDR1 and we add the group we created earlier. (Coslat_ssl_group)

(NOTE: When adding groups here, we can apply different rules if there are different groups that we match with Add Group Match.)

Destination Address: ALL

Service: We choose which ports will be accessed. (ALL)

Coslat 2fa

After the VPN users have access to the internet, they can now enter their passwords and enter a connection by entering the PIN code on the second screen that comes up.

Sample entry screen ;

Coslat 2fa

With the configuration, even if the VPN passwords of the users are stolen, the PIN code must also be known in order to establish a connection.