FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the issue where FSSO is supplying incorrect information to the FortiGate, causing VPN users to not hit the correct group-based policies and provides a step-by-step solution to resolve this issue.
This document can be used for SSL VPN/IPSec VPN users getting authenticated by RADIUS server on FortiAuthenticator and when the same info is sent to FortiGate via FSSO as FortiAuthenticator is also configured as the collector agent.
Scope
FortiGate, FortiAuthenticator.
Solution
To resolve the issue where FSSO is supplying incorrect information to the FortiGate, follow these steps:
Go to VPN -> SSL -> Settingsand ensure that the user group is configured correctly.
When the user authenticates against the SSL VPN user group, the user is recognised as a firewall user and not an FSSO user
Since the user is authenticating against a domain that has a DC Agent configured, the same logon info is reflected in FortiGate as an FSSO user
Run the command diagnose firewall auth list | grep -A7 -B1 x.x.x.xto check the authentication list and verify that the user is being authenticated correctly.
Try including the Radius user group instead of the FSSO user group in the FortiGate policy.
FortiAuthenticator's FortiGate filtering can be used to filter SSLVPN IP addresses from reaching FortiGate as an FSSO user.
