FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jgillies01
Staff
Staff
Description
This article describes the procedure to add multiple user group in XUTH in dial up VPN.

Solution
When any Dial up IPSEC VPN configuration is created from the IPSEC WIZARD, it will provide the option to add one user group only.


And on editing the same VPN configuration (Convert to Custom Tunnel), it is not possible to add any multiple user groups, even if it is listed in drop-down under the XAUTH user group:





To add multiple user groups for XUTH authentication, select Inherit from policy.

Edit: XAUTH: select the Type setting and select one of the following options:
- PAP Server — Password Authentication Protocol.
- CHAP Server — Challenge-Handshake Authentication Protocol.




Then create multiple firewall polices and apply user groups.
Specify destination addresses based on user group.

Then users will be connected and based on user group and policy, users will only have access to specific destination.







Here, two firewall policies were created, each for Local User Group and Guest User Group.
Both the groups would get authenticated by XAUTH.
Guest users would get authenticated to reach the destination gmail.com
Local users would get authenticated to reach the destination Microsoft Office 365.


Contributors