Description
This article describes how to define group based authorization restriction using Radius NPS Server.
Scope
FortiGate.
Solution
Restricting access based on group membership is a common security practice in large organizations.
In scenarios involving FortiGate and Radius (especially the Network Policy Server, NPS, on Windows Server), one can leverage Vendor Specific Attributes (VSAs) to accomplish this. RADIUS (Remote Authentication Dial-In User Service) is an AAA (Authentication, Authorization, and Accounting) protocol.
The NPS server in the context of Microsoft's Windows Server acts as a RADIUS server that's capable of authenticating and authorizing users.
VSAs allow for additional functionalities and customizations by enabling vendors to introduce their own specific attributes. In the FortiGate context, these VSAs play a crucial role in determining group affiliations and the resulting access.
In the below scenario, admin wants to allow only 'IT' group to match the Rule defined on FortiGate to match SSL VPN Portal.
As Radius on FortiGate works with Vendor Specific Attributes, it is necessary to set the Group name with attribute number '1' for group name.
In the below screenshot, group name with attribute number '1' string has been defined as 'IT' in the NPS Policy on Active Directory server.
So, as attribute number 1 has been defined as IT, FortiGate checks for Group name as IT and matches the Rule.
Firewall configuration for user group:
So, with above config the users part of group 'IT' would be matching the rule respectively for SSL VPN access.
Group-based authorization helps in segmenting and securing network resources. Using the synergy between NPS and FortiGate, administrators can establish robust and granular access controls. For deeper dives into specific configurations, refer to the official documentation of both FortiGate and Microsoft's NPS server.
Related article:
