Radius User Group mapping problem

Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

Hello everybody,
I have a Fortinet VM-64 (version v5.4.7,build6446 ) to provide SSLVPN service.
My customer provides a radius server for SSLVPN authentication.
But their radius server can't response group information when doing authentication.
So I create many account with radius on the VM-64, and mapping them with different group.
But there is a problem with group mapping.
When client use a account which exist in the radius server but doesn't exist in the VM-64 to login SSLVPN, it will login success and mapping to group for the first account in the account list.
For example:
-----------------
I have two account in the VM-64.
AAA in radius is group-X (It's the first account in the list)
BBB in radius is group-Y

There are three account in the radius server.(Because the radius server is not only for SSLVPN)
AAA
BBB
CCC

When client use CCC to login SSLVPN, he will login success and mapping to group-X.
-------------------
Because different group have different access control list, so it will be a issue in security.
And it's strange to mapping a account which doesn't exist to a exist group.
It look like a vulnerability or program logic error in the authentication?
Could you kindly give me some suggestion to resolve it?
Thanks a lot : )

145

0 REPLIES 0

Top Kudoed Authors

User

Count

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.