Skip to main content
rojekj
rojekj
New Member
November 20, 2017
Question

Fortinet-Group-Name for whole user group on 5.1.1

  • November 20, 2017
  • 1 reply
  • 11973 views

Hi all,

I'm trying to configure FortiAuthenticator 5.1.1 with Fortigate 5.6.2. I have many groups on FortiAuthenticator and I want to use them on Fortigate for SSl VPN. Every user group should have different policies. That is why FAC needs to pass information about user group to FG.

On FG i have RADIUS configured, in every user group I have "Remote Groups" with "Group Name" configured.

On FAC:

When I add "Fortinet-Group-Name" RADIUS Attribute in user configuration IT WORKS.

When I add "Fortinet-Group-Name" RADIUS Attribute in group configuration IT DOESN'T WORK. The attribute is not being passed to FG.

 

Is this normal? Does this mean that I have to manually add this attribute to every user?

 

Regards,

Jan

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    November 22, 2017

    Hi,

     

    if you do have FGT group config like:

        edit "RADIUS_FAC_SSL"         set member "FAC_17.49"         config match             edit 1                 set server-name "FAC_17.49"                 set group-name "cn=SSLAllow,ou=people,dc=fortilab,dc=int"             next         end     next

    Then it's a very normal and expected behavior.

    Fortinet call this behavior "group match" and it works for all outer auth RADIUS/LDAP/TACACS+ a similar way.

    For RADIUS protocol, the expected way how FGT get user group membership to compare is mentioned AVP Fortinet-Group-Name.

     

    I wrote a little KB about that few years ago.

    http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD36464

     

    The only situation where you can actually choose which AVP will carry (and where FGT expect) the group membership is RSSO. But that's slightly different auth from Single Sign-On passive authentications.

     

    Best regards,

    Tomas

    rojekj
    rojekjAuthor
    New Member
    November 22, 2017

    xsilver_FTNT,

     

    You wrote on that KB:

    Note that some RADIUS servers like FortiAuthenticator can provide RADIUS attributes on per user or per group basis. So either every single user has its own AVP, or user is group member and when authentication happens then the user inherits AVP from the group. The name of the user group on RADIUS server (like in this inherit case) has no direct connection to AVP, so simply by choosing the group is not enough.

     

    So, lets say that I have user "rojekj" on FAC. That user is a member od "vpn_admins" group on FAC. Group "vpn_admins" on FAC has AVP "Fortinet-Group-Name" set to "vpn_admins". FortiGate has "set group-name" configured to "vpn_admins". From Your KB I assume, that this should work.

     

    Well, it doesn't.

    I have to set AVP "Fortinet-Group-Name" on user "rojekj", and then it works.

     

    I don't think, that this is by design, and I don't think this is what You wrote in Your KB.

    rojekj
    rojekjAuthor
    New Member
    November 22, 2017

    I also did some debuging of FG.

     

    With AVP set on group:

    Forti0001 # diagnose test authserver radius waw60fac0001 pap rojekj ****             

    Token Code:******

    authenticate 'rojekj' against 'pap' succeeded, server=primary assigned_rad_session_id=618611079 session_timeout=0 secs idle_timeout=0 secs!

     

    With AVP set on user:

    Forti0001 # diagnose test authserver radius waw60fac0001 pap rojekj ****

    Token Code:******

    authenticate 'rojekj' against 'pap' succeeded, server=primary assigned_rad_session_id=618611080 session_timeout=0 secs idle_timeout=0 secs!

    Group membership(s) - vpn_admins

    Terms & ConditionsAccessibility statement