| Description |
This article provides the solution to the scenario when the SSL VPN user is a member of multiple groups in the Active Directory Server.
Taking the following user structure as an example:
FortiGate is configured with the following settings:
With these settings, user1 will never get authenticated with Group2, despite the connection on the FortiClient specifically pointed to Group2 realm. |
| Scope | FortiGate, Microsoft NPS. |
| Solution |
The solution is to specify the NAS-IP in the realm setting and include the NAS-IP as a condition in the NPS Server specified in the SSL VPN realm setting:
config vpn ssl web realm edit <REALM_NAME> set radius-server <RADIUS> set nas-ip <NAS-IP> next end
The NAS-IP can be a dummy IP as it is used purely for network policy identifier purposes.
Configuration on NPS Server:
The result on the NPS server would look similar to the following for both groups:
When user1 performs authentication with Group2 realm (https://<FGT WANIP>:<SSLVPN Port>/<Realm_name>), the specific NAS-IP will be sent along with the RADIUS-REQUEST packet:
With this additional attribute and condition set on both the FortiGate realm setting and NPS server policy, it allows users who reside in multiple groups to match the desired realm and user group:
Related document: |
