Add readme.md
This commit is contained in:
163
readme.md
Normal file
163
readme.md
Normal file
@@ -0,0 +1,163 @@
|
|||||||
|
|
||||||
|
# FortiGate 100F Cluster – IPsec VPN met Entra ID (SSO via SAML)
|
||||||
|
|
||||||
|
## 🧩 Overzicht
|
||||||
|
Gebruikers verbinden via IPsec VPN naar het FortiGate-cluster met hun Entra ID-account.
|
||||||
|
De FortiGate vertrouwt op Entra ID als *SAML Identity Provider (IdP)*.
|
||||||
|
De FortiClient VPN app gebruikt SAML-authenticatie en ontvangt dynamisch de aanmeld-URL.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 1️⃣ Entra ID – App registratie
|
||||||
|
|
||||||
|
1. Meld aan bij [https://entra.microsoft.com](https://entra.microsoft.com)
|
||||||
|
2. Ga naar **Applications > App registrations > New registration**
|
||||||
|
- **Name:** `FortiGate VPN SSO`
|
||||||
|
- **Supported account types:** Single tenant
|
||||||
|
- **Redirect URI (Web):**
|
||||||
|
```
|
||||||
|
https://<fortigate-fqdn>:443/saml/sp/acs
|
||||||
|
```
|
||||||
|
3. Klik **Register**
|
||||||
|
|
||||||
|
### 1.1 SAML instellingen
|
||||||
|
1. Open de nieuwe app → **Single sign-on** → kies **SAML**
|
||||||
|
2. Bij **Basic SAML Configuration:**
|
||||||
|
- **Identifier (Entity ID):** `https://<fortigate-fqdn>/saml/sp`
|
||||||
|
- **Reply URL (ACS URL):** `https://<fortigate-fqdn>:443/saml/sp/acs`
|
||||||
|
- **Sign on URL:** `https://<fortigate-fqdn>`
|
||||||
|
3. **User Attributes & Claims:** laat standaard (“user.userprincipalname”)
|
||||||
|
4. **SAML Signing Certificate:** download **Federation Metadata XML**
|
||||||
|
|
||||||
|
### 1.2 Toegang & gebruikers
|
||||||
|
Voeg onder **Enterprise Applications > Users and groups** de groep(en) of gebruiker(s) toe die mogen inloggen.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 2️⃣ FortiGate – SAML IdP configureren
|
||||||
|
|
||||||
|
Upload het metadata-bestand en maak de IdP-entry aan:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
config user saml
|
||||||
|
edit "entra-sso"
|
||||||
|
set cert "Fortinet_Factory"
|
||||||
|
set entity-id "https://<fortigate-fqdn>/saml/sp"
|
||||||
|
set single-sign-on-url "https://<fortigate-fqdn>:443/saml/sp/acs"
|
||||||
|
set idp-entity-id "https://sts.windows.net/<tenant-id>/"
|
||||||
|
set idp-single-sign-on-url "https://login.microsoftonline.com/<tenant-id>/saml2"
|
||||||
|
set idp-cert "azuread-sso.crt"
|
||||||
|
set user-name "userprincipalname"
|
||||||
|
next
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
💡 **azuread-sso.crt** importeer je onder *System → Certificates → Import → Remote CA Certificate* (uit het metadata-XML van Entra ID).
|
||||||
|
|
||||||
|
Controleer met:
|
||||||
|
```bash
|
||||||
|
show user saml
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 3️⃣ IPsec-tunnel aanmaken (Phase 1 + 2)
|
||||||
|
|
||||||
|
**GUI → VPN → IPsec Tunnels → Create New → Custom.**
|
||||||
|
|
||||||
|
### Phase 1
|
||||||
|
| Instelling | Waarde |
|
||||||
|
|-------------|---------|
|
||||||
|
| **Name** | vpn-entra |
|
||||||
|
| **Remote Gateway** | Dynamic IP Address |
|
||||||
|
| **Interface** | WAN1 |
|
||||||
|
| **Authentication Method** | SAML User |
|
||||||
|
| **SAML Server** | entra-sso |
|
||||||
|
| **Mode** | Aggressive |
|
||||||
|
| **IKE Version** | v2 |
|
||||||
|
| **Proposal** | AES256/SHA256/DH14 |
|
||||||
|
| **DPD/Keepalive** | standaard |
|
||||||
|
|
||||||
|
### Phase 2
|
||||||
|
| Instelling | Waarde |
|
||||||
|
|-------------|---------|
|
||||||
|
| **Name** | vpn-entra-p2 |
|
||||||
|
| **Phase1 Interface** | vpn-entra |
|
||||||
|
| **Local Address** | 0.0.0.0/0 |
|
||||||
|
| **Remote Address** | 0.0.0.0/0 |
|
||||||
|
| **Proposal** | AES256/SHA256 |
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 4️⃣ Firewall user-groep koppelen
|
||||||
|
|
||||||
|
```bash
|
||||||
|
config user group
|
||||||
|
edit "vpn-entra-group"
|
||||||
|
set member "entra-sso"
|
||||||
|
next
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 5️⃣ Policy voor VPN-verkeer
|
||||||
|
|
||||||
|
```bash
|
||||||
|
config firewall policy
|
||||||
|
edit 0
|
||||||
|
set name "VPN_to_LAN"
|
||||||
|
set srcintf "vpn-entra"
|
||||||
|
set dstintf "lan"
|
||||||
|
set srcaddr "all"
|
||||||
|
set dstaddr "all"
|
||||||
|
set action accept
|
||||||
|
set schedule always
|
||||||
|
set service ALL
|
||||||
|
set nat enable
|
||||||
|
set groups "vpn-entra-group"
|
||||||
|
next
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 6️⃣ FortiClient VPN instellen
|
||||||
|
|
||||||
|
FortiClient (VPN-only versie 7.4+) → **Remote Access → IPsec VPN → Add New**
|
||||||
|
|
||||||
|
| Veld | Waarde |
|
||||||
|
|------|---------|
|
||||||
|
| **Connection Name** | FortiGate SSO VPN |
|
||||||
|
| **VPN Type** | IPsec |
|
||||||
|
| **Remote Gateway** | `https://<fortigate-fqdn>` |
|
||||||
|
| **Authentication** | SSO with SAML |
|
||||||
|
| **Username/Password** | Leeg laten |
|
||||||
|
| **Group Name (ID)** | vpn-entra (optioneel) |
|
||||||
|
|
||||||
|
Test → je wordt doorgestuurd naar Microsoft login.microsoftonline.com.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 7️⃣ Test & troubleshoot
|
||||||
|
|
||||||
|
- Controleer aanmeld-URL:
|
||||||
|
`https://<fortigate-fqdn>:443/saml/sp/test`
|
||||||
|
- FortiGate CLI-debug:
|
||||||
|
```bash
|
||||||
|
diagnose debug enable
|
||||||
|
diagnose debug application ike -1
|
||||||
|
```
|
||||||
|
- Controleer dat “SAML assertion” wordt ontvangen na login.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## ✅ Resultaat
|
||||||
|
|
||||||
|
Na succesvolle Entra-ID-authenticatie krijgt de gebruiker een IPsec-tunnel met policy-gebaseerde toegang.
|
||||||
|
Aanpassing van toegangsrechten doe je in Entra ID via groepslidmaatschap.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
© 2025 Screen GP Europe – ICT Dept.
|
||||||
|
Documentversie: 1.0 – Auteur: Marco Voskuil
|
||||||
Reference in New Issue
Block a user