Skip to main content
AllanStark
AllanStark
Explorer
December 5, 2025
Solved

Assigning static IP addresses to SSL VPN users in case of SAML authentication

  • December 5, 2025
  • 2 replies
  • 926 views

Hello,

 

some of our MacOS users are experiencing issues accessing servers within the office network when connecting via VPN. The problem is that the network range in the office is the same as their home network, like 10.0.0.0/24.
To ensure access to office servers on these users' MacOS devices, routing must be configured correctly, but the address assigned to the VPN client by FGT is dynamic from the specified range.
Another issue is that users are authorized in FGT through their Entra ID accounts (SAML authentication with Entra ID is configured in FGT). It seems this article (https://community.fortinet.com/t5/FortiGate/Technical-Tip-Reserve-SSL-VPN-client-IP-addresses-without-an/ta-p/367799) is not applicable in this case, since the VPN portal only allows you to specify a local FGT user, either RADIUS or LDAP, but not a user authorized via SAML from the external cloud identity.
Unfortunately, we are currently unable to change the address range of the office network or connect a third-party DHCP server.
Is there another way to assign specific IP addresses to VPN  users logging in via SAML?

In FortView they are displayed as VPN users with the correct UPN (like mailbox address or Entra ID login).

Users use FortiClient VPN apps.

Best answer by funkylicious

you dont select Entra users.

you create User groups that refer to the Entra id groups where specific users are part of , like described here which you use in the mapping

2 replies

funkylicious
SuperUser
funkylicious
SuperUser
December 5, 2025

hi,

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Assigning-Static-IP-for-SSL-VPN-users/ta-p/365357 . another option would be to also configure realms but this will require multiple applications configured in Entra for each realm/auth portal.

"jack of all trades, master of none"
    AllanStark
    AllanStarkAuthor
    Explorer
    December 5, 2025

    @funkylicious Thank you for your reply.
    The problem is that in the SSL VPN settings -> Authentication/Portal Mapping there is no option to select Entra users, only FGT local, LDAP and RADIUS.

    At least not through the web interface.
    Although inside the FGT it clearly operates with the UPN (or user email addresses), since it indicates them in the logs and FortiView

    funkylicious
    SuperUser
    funkyliciousAnswer
    SuperUser
    December 5, 2025

    you dont select Entra users.

    you create User groups that refer to the Entra id groups where specific users are part of , like described here which you use in the mapping

    "jack of all trades, master of none"
      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      December 5, 2025

      You can try CGNAT range 100.64.0.0/10 for client IPs, which would never conflict those users LAN or the office network.

      Toshi

      Terms & ConditionsAccessibility statement