Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
matanaskovic
Staff
Staff

Created on ‎12-05-2017 07:37 PM Edited on ‎03-10-2025 12:19 AM By Community Manager

Article Id 198422

Technical Tip: Assign fixed IP address to the users over SSL VPN tunnel with FortiAuthenticator RADIUS service

Description This article describes how to configure the SSL VPN Web Portal on FortiGate to assign a fixed IP address with FortiAuthenticator as a RADIUS server for the users.
Scope FortiAuthenticator.
Solution

FortiGate Configuration.

Edit Web Portal configured for fixed IPs and set 'ip-mode' to 'user-group'. Once configured, all users in the authentication group must have an assigned IP otherwise authentication will fail:

      

config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
config authentication-rule
        edit 1
            set groups "framed_ip_grp2" "framed_ip_grp1"
            set portal "test_FixIP"
        next
end
end
config vpn ssl web portal
    edit "test_FixIP"
        set tunnel-mode enable
        set ip-mode user-group                                  <----- Default paramter: range.
        set ip-pools "Range_Fix_IP"               <----- IP range.
    next
config firewall policy
    edit 1
        set name "sslvpnPolicy"
        set srcintf "ssl.root"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "localsubnet"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "framed_ip_grp2" "framed_ip_grp1"
    next
end

 FortiAuthenticator Radius Configuration.

  1. Edit user configuration: Go under Authentication -> User Management -> Local / Remote Users -> Edit the User -> RADIUS Attributes -> Add RADIUS Attribute.

 

  1. Add the following attribute values:

Vendor: Default.
Attribute ID: Framed-IP-Address.
Value:  <IP in the range defined on ip-pools>.

Untitled.png

 

Related article:

Technical Tip: Radius authentication with FortiAuthenticator
24471
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.