commit 9c71ee330d767501523a5788e4c12001da07e051 Author: marco Date: Wed Nov 12 15:35:47 2025 +0100 Add readme.md diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..37b8a2a --- /dev/null +++ b/readme.md @@ -0,0 +1,163 @@ + +# FortiGate 100F Cluster – IPsec VPN met Entra ID (SSO via SAML) + +## 🧩 Overzicht +Gebruikers verbinden via IPsec VPN naar het FortiGate-cluster met hun Entra ID-account. +De FortiGate vertrouwt op Entra ID als *SAML Identity Provider (IdP)*. +De FortiClient VPN app gebruikt SAML-authenticatie en ontvangt dynamisch de aanmeld-URL. + +--- + +## 1️⃣ Entra ID – App registratie + +1. Meld aan bij [https://entra.microsoft.com](https://entra.microsoft.com) +2. Ga naar **Applications > App registrations > New registration** + - **Name:** `FortiGate VPN SSO` + - **Supported account types:** Single tenant + - **Redirect URI (Web):** + ``` + https://:443/saml/sp/acs + ``` +3. Klik **Register** + +### 1.1 SAML instellingen +1. Open de nieuwe app → **Single sign-on** → kies **SAML** +2. Bij **Basic SAML Configuration:** + - **Identifier (Entity ID):** `https:///saml/sp` + - **Reply URL (ACS URL):** `https://:443/saml/sp/acs` + - **Sign on URL:** `https://` +3. **User Attributes & Claims:** laat standaard (“user.userprincipalname”) +4. **SAML Signing Certificate:** download **Federation Metadata XML** + +### 1.2 Toegang & gebruikers +Voeg onder **Enterprise Applications > Users and groups** de groep(en) of gebruiker(s) toe die mogen inloggen. + +--- + +## 2️⃣ FortiGate – SAML IdP configureren + +Upload het metadata-bestand en maak de IdP-entry aan: + +```bash +config user saml + edit "entra-sso" + set cert "Fortinet_Factory" + set entity-id "https:///saml/sp" + set single-sign-on-url "https://:443/saml/sp/acs" + set idp-entity-id "https://sts.windows.net//" + set idp-single-sign-on-url "https://login.microsoftonline.com//saml2" + set idp-cert "azuread-sso.crt" + set user-name "userprincipalname" + next +end +``` + +💡 **azuread-sso.crt** importeer je onder *System → Certificates → Import → Remote CA Certificate* (uit het metadata-XML van Entra ID). + +Controleer met: +```bash +show user saml +``` + +--- + +## 3️⃣ IPsec-tunnel aanmaken (Phase 1 + 2) + +**GUI → VPN → IPsec Tunnels → Create New → Custom.** + +### Phase 1 +| Instelling | Waarde | +|-------------|---------| +| **Name** | vpn-entra | +| **Remote Gateway** | Dynamic IP Address | +| **Interface** | WAN1 | +| **Authentication Method** | SAML User | +| **SAML Server** | entra-sso | +| **Mode** | Aggressive | +| **IKE Version** | v2 | +| **Proposal** | AES256/SHA256/DH14 | +| **DPD/Keepalive** | standaard | + +### Phase 2 +| Instelling | Waarde | +|-------------|---------| +| **Name** | vpn-entra-p2 | +| **Phase1 Interface** | vpn-entra | +| **Local Address** | 0.0.0.0/0 | +| **Remote Address** | 0.0.0.0/0 | +| **Proposal** | AES256/SHA256 | + +--- + +## 4️⃣ Firewall user-groep koppelen + +```bash +config user group + edit "vpn-entra-group" + set member "entra-sso" + next +end +``` + +--- + +## 5️⃣ Policy voor VPN-verkeer + +```bash +config firewall policy + edit 0 + set name "VPN_to_LAN" + set srcintf "vpn-entra" + set dstintf "lan" + set srcaddr "all" + set dstaddr "all" + set action accept + set schedule always + set service ALL + set nat enable + set groups "vpn-entra-group" + next +end +``` + +--- + +## 6️⃣ FortiClient VPN instellen + +FortiClient (VPN-only versie 7.4+) → **Remote Access → IPsec VPN → Add New** + +| Veld | Waarde | +|------|---------| +| **Connection Name** | FortiGate SSO VPN | +| **VPN Type** | IPsec | +| **Remote Gateway** | `https://` | +| **Authentication** | SSO with SAML | +| **Username/Password** | Leeg laten | +| **Group Name (ID)** | vpn-entra (optioneel) | + +Test → je wordt doorgestuurd naar Microsoft login.microsoftonline.com. + +--- + +## 7️⃣ Test & troubleshoot + +- Controleer aanmeld-URL: + `https://:443/saml/sp/test` +- FortiGate CLI-debug: + ```bash + diagnose debug enable + diagnose debug application ike -1 + ``` +- Controleer dat “SAML assertion” wordt ontvangen na login. + +--- + +## ✅ Resultaat + +Na succesvolle Entra-ID-authenticatie krijgt de gebruiker een IPsec-tunnel met policy-gebaseerde toegang. +Aanpassing van toegangsrechten doe je in Entra ID via groepslidmaatschap. + +--- + +© 2025 Screen GP Europe – ICT Dept. +Documentversie: 1.0 – Auteur: Marco Voskuil