Description
This article describes how to configure User Groups on the FortiGate to match multiple Remote Groups (i.e. those based on LDAP, RADIUS, SAML, and TACACS+) using both the FortiOS Web GUI and the CLI. This can be particularly useful when multiple remote user groups need to share a common User Group on the FortiGate.
Note that this article is a supplement to the User Group section of the FortiOS Administration Guide, which can be found here: User groups
Scope
FortiGate/FortiOS.
Solution
When configuring Remote Group matching for a FortiGate User Group, there are multiple options to select from, including LDAP, RADIUS, SAML, and TACACS+. RADIUS, SAML, and TACACS+ share the same GUI format for configuring group matching and are grouped together further below, whereas LDAP has its own unique layout. On the other hand, configuring group-matching via the CLI is identical for all Remote Group/Server options.
Note:
Group Matching on the FortiGate is done with OR logic, not with AND logic. This means that a user needs to only match one of the available entries to be considered a member of that FortiGate User Group (it does not need to match all specified entries).
To configure User Groups in-general, navigate to the following locations for the GUI and CLI respectively:
- GUI: User & Authentication -> User Groups, edit/create a User Group, then select the Add button under Remote Groups.
- CLI: config user group
Configuring User Group with Remote Group Matching - GUI Method (LDAP):
When adding an LDAP server to a User Group, the domain structure will be displayed along with a list of all groups found within the domain. Since LDAP uses a directory tree structure, the list of LDAP groups displayed will depend on which part of the directory is selected in the left-hand navigation pane.
To select and add an LDAP group for matching, right-click the entry and select Add Selected (multiple entries can be selected and added here). Likewise, an entry an be removed with the Remove Selected button. Note that after committing this result, the actual Group Name that will be checked is the full LDAP Distinguished Name for a given entry (e.g. CN=Domain Users,CN=Users,DC=domain,DC=local).
Configuring User Group with Remote Group Matching - GUI Method (RADIUS, TACACS+, SAML):
RADIUS, TACACS+, and SAML all share the same GUI layout for configuring group matching. Setting the Groups field to Any means that any user that has completed authentication will be a member of the group, whereas the Specify option allows administrators to specify a string to check for group-matching.
To add additional entries, select the plus button (+) next to one of the existing entries, then specify an additional string. Note that the exact strings that must be set here will vary based on the exact authentication setup.
For RADIUS (config user radius), the FortiGate will perform group-matching on the string(s) returned by the RADIUS server via the filter-Id RADIUS attribute, though in FortiOS 6.4.0 and later this can be changed to the class attribute (see also: https://docs.fortinet.com/document/fortigate/latest/administration-guide/252538/support-for-okta-rad...).
For TACACS+ (config user tacacs+), the FortiGate checks the memberof attribute for group-matching purposes (see also: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Access-using-TACACS-authentication-with-ad...).
For SAML (config system saml for administrator logins, config user saml for all others), the FortiGate checks the SAML attribute configured via set group-name for the list of groups associated with the user. The suggested group-name is the word 'group' but it can be any string as long as it matches on both the Service Provider (SP; FortiGate) and Identity Provider (IdP).
Notably for SAML, the actual group strings returned by the IdP will vary depending on which IdP is used. For example:
- Microsoft Azure Entra ID by default returns the Object ID of the group, rather than the group name itself (e.g. 123456ab-1a2b-3c45-[...])
- On the other hand, Okta will return the actual name of the group as configured on Okta (e.g. 'VPN-Users')
Configuring User Group with Remote Group Matching - CLI Method
Configuring multiple Remote Group matches in the CLI is straightforward since the commands remain the same for all forms of remote authentication server. Each entry is configured under the config match sub-section of config user group using the following format:
config user group
edit <Group Name>
set member <Remote Server 1> <Remote Server 2> <...>
config match
edit <# id>
set server-name <Remote Server>
set group-name <Group String to Match>
next
end
end
Note: When matching multiple groups, each Remote Group must configured as a separate entry, as shown in the SAML-based example below:
GUI-based User Group:
CLI-based User Group:
config user group
edit "Test_Users"
set member "SAML_Server"
config match
edit 1
set server-name "SAML_Server"
set group-name "VPN_Users"
next
edit 2
set server-name "SAML_Server"
set group-name "VPU_Users2"
next
end
end
Additional Reading:
