Skip to main content
lasersailing2k3
lasersailing2k3
New Member
October 14, 2024
Solved

Autoconnect IPSEC Entra AD

  • October 14, 2024
  • 3 replies
  • 2562 views

Hi

 

We are tying to setup the following: Autoconnect to IPsec VPN using Entra ID logon session information

 

https://docs.fortinet.com/document/forticlient/7.2.3/ems-administration-guide/396545/autoconnect-to-ipsec-vpn-using-entra-id-logon-session-information

 

We have the Client configured in EMS and able to connected to the IPSEC VPN, but how can you then control which logged in users have access via firewalls policies?  I was thinking about using usergroups on firewall policies but this just doesnt seem to work, does any one have any experience of restricting the FW policies based on which users are in which groups in Entra??

 

Many Thanks

Best answer by lasersailing2k3

OK so just an update to this for other peoeple who want to get this working:

 

1.  Your Fortigate needs to be running at least 7.2.10 as there was a bug in earlier versions.

2. You need to remove the config option "set authusrgrp msgraph" on the ipsec phase1-interface

3. You then need to create groups for each user group that you want to apply to firewall policies

config user group edit "group1" set member "msgraph" config match edit 1 set server-name "msgraph" set group-name "363a72ce-d2c7-4758-9d25-5485789e4043" next end next edit "group2" set member "msgraph" config match edit 1 set server-name "msgraph" set group-name "38f658d9-c3c2-4a8c-b4d0-d809d42fc31e" next end next end

4. Then just apply the groups to the relevant FW policies.

 

Hope this helps :)

3 replies

johnathan
Staff
johnathan
Staff
October 14, 2024

You can make multiple User Groups in the Firewall, but when selecting the SAML server you have the option to specify a group ID that will correlate with a group ID in Azure. This is how you can match different Entra ID groups to different  Firewall Groups.
See: https://docs.fortinet.com/document/fortigate-public-cloud/7.6.0/azure-administration-guide/584456/configuring-saml-sso-login-for-ssl-vpn-with-entra-id-acting-as-saml-idp

Never trust a computer you can't throw out a window.
lasersailing2k3
lasersailing2k3Author
New Member
October 14, 2024

Thanks but that is using SAML with SSL-VPN.  We are using always on IPSEC with Entra.

 

following this link to do the authentication is what we are using, but its just not playing ball.

 

https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/33053

 

Seeing constant certificate warnings when trying pass user traffic through the firewall policies.

johnathan
Staff
johnathan
Staff
October 14, 2024

I have attached a screenshot of what I am referring to (group name is the group ID in Entra ID). This is on the Firewall Group itself.
I don't think the document you shared is applicable for our situation (we are VPN, that .document is for on-prem)

Never trust a computer you can't throw out a window.
johnathan
Staff
johnathan
Staff
October 14, 2024

Sorry, It didn't attach >_<

Never trust a computer you can't throw out a window.
lasersailing2k3
lasersailing2k3AuthorAnswer
New Member
October 24, 2024

OK so just an update to this for other peoeple who want to get this working:

 

1.  Your Fortigate needs to be running at least 7.2.10 as there was a bug in earlier versions.

2. You need to remove the config option "set authusrgrp msgraph" on the ipsec phase1-interface

3. You then need to create groups for each user group that you want to apply to firewall policies

config user group edit "group1" set member "msgraph" config match edit 1 set server-name "msgraph" set group-name "363a72ce-d2c7-4758-9d25-5485789e4043" next end next edit "group2" set member "msgraph" config match edit 1 set server-name "msgraph" set group-name "38f658d9-c3c2-4a8c-b4d0-d809d42fc31e" next end next end

4. Then just apply the groups to the relevant FW policies.

 

Hope this helps :)

    Gubin
    Gubin
    Visitor III
    November 26, 2025

    Hey. Hope you're doing well.

    I try it, but it can't connect when i “unset authusrgrp” in the phase1.

    I did the groups like u did (with my own Group IDs of course)

    Did you do something else?

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    November 26, 2025

    make sure you use the groups in the fw rules.

    "jack of all trades, master of none"
      Terms & ConditionsAccessibility statement