Skip to main content
horinius
horinius
New Member
October 27, 2019
Question

Is it impossible to have two Radius user groups with only one Radius server?

  • October 27, 2019
  • 3 replies
  • 6642 views

I already have a working SSL VPN for my users who are authenticated via Radius server in an Active Directory.

 

I want to create another user group so that they have a different access permission, something like this:

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-sslvpn-54/SSLVPN_Examples_54/Multi_Groups_Different_Access_Perms.htm

 

When I revise Radius settings in my FortiGate 80c, it seems to me that there is no way to have two groups using a single Radius server.  Am I correct?  Beside making a second Radius server, what other option do I have?

    3 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    October 27, 2019

    The same user can belong to different groups. A radius server should be the same. The problem is how to get bound to a specific group (authenticatio rule) when a user tried to connect over SSL VPN. It would always use the first one, I believe. I'm not sure if it would try the next auth rule when the first one is denied by the radius. You can try though.

    But an option to avoid that situation is to use realms like below:

    https://docs.fortinet.com...72/ssl-vpn-multi-realm

    horinius
    horiniusAuthor
    New Member
    October 28, 2019

    I didn't talk about having the same user in two different groups!  What are you talking about?

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    October 28, 2019

    To have group users authenticated by a RADIUS server, you need to create a "group" [config user group] with the server created under [config user radius] as a member in the FGT. If you want to get two different user group member clients authenticated by the same server, you have to create two "group"s and put the same server as a member of both "group"s.

    emnoc
    emnoc
    New Member
    October 28, 2019

    I agreed with and one other option if you want to control different access is to use realms. This goes along way with dividing and control user access.

     

    e.g

    http://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html

     

    Ken Felix

    Terms & ConditionsAccessibility statement