如何通过FreeRadius如何在SSLVPN中实现固定地址分配???

问题描述,Fortigate测试Radius账号后得到了正确的Framed-IP-Address属性的回显信息,但是远程账户却无法获取到制定的IP地址???
 
 
Fortigate6.2.1:测试用户认证信息回显AVP: l=6 t=Service-Type(6) Value: 2 AVP: l=6 t=Framed-Protocol(7) Value: 1 AVP: l=6 t=Framed-IP(8) Value: 10.10.10.99
 
FreeRadius:配置user文件
jizhiming Cleartext-Password := "jizhiming"
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Address = 10.10.10.99
 
Fortigate SSLVPN配置:
 
config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set ipv6-tunnel-mode enable
        set web-mode enable
        set ip-pools "SSLVPN-IPPOOL" #10.10.10.0/24
        set split-tunneling-routing-address "vpn-to-local"
        set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        config bookmark-group
            edit "gui-bookmarks"
            next
        end
    next
end

config vpn ssl settings set servercert "Fortinet_Factory" set tunnel-ip-pools "SSLVPN-IPPOOL" #10.10.10.0/24 set port 4433 set source-interface "wan2" set source-address "all" set source-address6 "all" set default-portal "tunnel-access" config authentication-rule edit 1 set groups "SSLVPN" set portal "full-access" next end end
 
SSLVPN用户获取IP地址:
 

FortiGate-100D # get vpn ssl monitor 
SSL VPN Login Users:
 Index User Auth Type Timeout From HTTP in/out HTTPS in/out
 0 jizhiming 2(1) 294 192.168.2.206 0/0 0/0
 
SSL VPN sessions:
 Index User Source IP Duration I/O Bytes Tunnel/Dest IP 
 0 jizhiming 192.168.2.206 28 98/123 10.10.10.1

 
已邀请:

liweifeng - Fortinet-李威峰

赞同来自:

SSLVPN:
config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set ip-mode user-group//分配IP地址模式,基于用户组,也就是说从远程Radius分配
    set split-tunneling-routing-address "192.168.20.0/24"
    next
end
IPSec VPN:
config vpn ipsec phase1-interface
    edit "FortiClient"
        set type dynamic
        set interface "port1"
        set mode aggressive
        set mode-cfg enable
        set comments "VPN: FortiClient (Created by VPN wizard)"
        set wizard-type dialup-forticlient
        set xauthtype auto
        set authusrgrp "VPNGROUP"
        set assign-ip-from usrgrp //此时VPN客户端的虚拟IP从Radius返回报文中获取
        set ipv4-start-ip 192.168.30.1
        set ipv4-end-ip 192.168.30.254
        set dns-mode auto
        set ipv4-split-include "192.168.20.0/24"
        set client-keep-alive enable
    next
end
 
 

要回复问题请先登录注册