Technical Tip: How to find the group association of an IPsec VPN user

A network administrator may need to verify the group association of an IPsec VPN user for various reasons, such as applying access restrictions based on user roles or troubleshooting connectivity and policy-related issues.

This is especially helpful when users from different groups are connecting through the same dial-up tunnel.

In the GUI, this is possible by using the Firewall Users monitor located under Dashboard -> Users & Devices by default.

Note:

If the group is set directly in the IPsec settings, no cached session is created, and the user will not appear in the Firewall User Monitor or diagnose firewall auth list. For more information, refer to Technical Tip: A guide to Dial-Up IPsec VPN Authentication and Policy Matching.

For IKEv2 dial-up tunnels, there is no XAUTH configuration. Instead, user groups can be directly referenced in the firewall policy, leaving authusrgrp empty.

When a user is connected to IKEv2:

FGVM4Vxxxx0732 # diagnose firewall auth list

10.212.134.200, localuser
        type: fw, id: 0, duration: 2, idled: 0
        server: EAP_PROXY
        packets: in 32 out 31, bytes: in 9352 out 7157
        group_id: 3
        group_name: localgroup

----- 1 listed, 0 filtered ------

FGVM4Vxxxx0732 # 

When the user is connected to IKEv1:

FGVM4Vxxxx0732 # diagnose firewall auth list

10.212.134.200, localuser
        type: fw, id: 0, duration: 6, idled: 6
        server: localuser
        packets: in 0 out 0, bytes: in 0 out 0
        group_id: 3
        group_name: localgroup

----- 1 listed, 0 filtered ------

Related article:

Technical Tip: A guide to Dial-Up IPsec VPN Authentication and Policy Matching