Technical Tip: How to restrict SSL VPN user to tunnel mode and web-mode in SSL VPN using Radius

Let user consider User A (Test-tunnel) to only access the tunnel mode of the SSL VPN and User B (Test-webmode) to access web mode only on the unit.

First, create a User group for Radius in the unit with specific radius group name in the group. 

To configure the setup on GUI, go to User & Authentication -> User Group, select 'Create New+'.

The Radius server would be mapped in the remote group and press the specific button to add the Radius group attribute in it.

A screenshot has been attached for reference for GUI.

Find the below configure to be performed from CLI.

Tunnel mode:

# config user group
    edit "Test-rad-tunnel"
        set member "10.100.4.117"
# config match
    edit 1
        set server-name "10.100.4.117"
        set group-name "Test-tunnel"
    next
end

Web mode:

# config user group

    edit "Test-rad-webmode"
        set member "10.100.4.117"
# config match
    edit 1
        set server-name "10.100.4.117"
        set group-name "Test-webmode"
    next
end

Then, assign the user group to the appropriate SSL VPN profile in the authentication rule in the firewall policy.

To configure that on GUI, go to VPN-> SSL-VPN setting -> Authentication/Portal Mapping, select 'Create New'.

A dropdown menu will appear, to select the require SSL VPN profile and User group.

# config vpn ssl settings
# config authentication-rule
    edit 1
        set groups "Test-rad-tunnel"
        set portal "tunnel-access"

    next
        edit 2
            set groups "Test-rad-webmode"
            set portal "web-access"
    next
end 

The Radius server must be able to send the group-name attribute to the unit.

Only then, the unit would be able to filter the correct user group and assign the correct SSL VPN profile to the user for access.

It is possible to collect pcap's from the firewall to verify if the server is sending the require Radius attribute.

To perform that, go to Network -> Packet Capture, selectCreate and set the port 1812 to filter Radius packets.

Below is screenshot of PCAP output where the Group name attribute is sent to firewall:

To troubleshoot the issue on the unit for this, use the below command:

# di de reset

# di de app fnbamd -1

# di de app sslvpn -1 
# di de en 

Find a sample output for successfully authentication for SSL VPN below:

[1802] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[320] extract_success_vsas-FORTINET attr, type 1, val Test-tunnel
[1383] fnbamd_auth_handle_radius_result-->Result for radius svr '10.100.4.117' 10.100.4.117(1) is 0
[1653] fnbam_user_auth_group_match-req id: 1524376797, server: 10.100.4.117, local auth: 0, dn match: 0
[1622] __group_match-Group 'Test-rad-tunnel' passed group matching
[1625] __group_match-Add matched group 'Test-rad-tunnel'(2)
[277] find_matched_usr_grps-Passed group matching

[3409:root:16]deconstruct_session_id:709 decode session id ok, user=[test-tunnel], group=[Test-rad-tunnel],authserver=[10.100.4.117],portal=[tunnel-access],host[10.32.76.92],realm=[],csrf_token=[CECD4391B576F76D9957B963C6F8B78],idx=1,auth=2,sid=58ec7ff5,login=1659091670,access=1659091670,saml_logout_url=no,pip=10.32.76.92,grp_info=[
SCGF9Y],rmt_grp_info=[em4f4W]

Reference link:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Packet-Capture-on-FortiOS-GUI/ta-p/1...

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/690301/configuring-the-ssl-vpn-tunnel