Technical Tip: How to assign IP address in custom IP pool source

Description

This article describes what to do when an LDAP Group user is not matching the correct authentication-rule, and how to assign the correct IP address in the IP pool source.

Scope

FortiGate.

Solution

Assume that it is set up as below and check the test results for each situation.

1. If the firewall policy includes both group and user objects and the authentication-rule contains only a group object:

• When accessing SSL VPN by using an LDAP user, the user is matched to the default portal.
  This means the user does not get an IP address in the custom source IP pool.

2. If the firewall policy includes both group and user objects and the authentication-rule contains only a user object:

• When accessing SSL VPN by using an LDAP user, it matches the custom portal.
  This means the user can be assigned an IP address in the custom source IP pool.

The difference between the above two actions is whether the matched objects in the firewall group were matched equally in the authentication-rule.
In the first case, the reason that the user was not assigned the IP address in custom IP source pool is that there was no user object in the authentication-rule after matching the user object in firewall policy first.
In the opposite case, if only group objects exist in the firewall policy, the authentication-rule also has group objects to normally obtain the IP address from the custom source IP pool.

In conclusion, in order to assign an IP address in the custom IP source pool to LDAP user, the same object has to match in the firewall policy and in the authentication-rule.