Description
This article describes the procedure to add multiple user group in XUTH in dial-up VPN.
Solution
When any dial-up IPsec VPN configuration is created from the IPsec wizard, it will provide the option to add one user group only.
Upon editing the same VPN configuration (convert to Custom Tunnel), it will not be possible to add any multiple user groups, even if it is listed in drop-down under the XAUTH user group:
To add multiple user groups for XUTH authentication, select Inherit from policy.
Edit: XAUTH: select the Type setting and select one of the following options:
- PAP Server - Password Authentication Protocol.
- CHAP Server - Challenge-Handshake Authentication Protocol.
IKEv2:
- For IKEv2, FortiClient will use EAP-MSCHAPv2.
- For this setup to work, the remote radius server must support EAP-MSCHAPv2 authentication (EAP-MS-CHAP) (Microsoft NPS for example).
After, create multiple firewalls polices and apply user groups.
Specify destination addresses based on user group.
After, users will be connected and, based on user group and policy, will only have access to specific destinations.
Here, two firewall policies were created each for the Local User Group and Guest User Group.
Both groups will be authenticated by XAUTH.
Guest users will be authenticated to reach the gmail.com destination.
Local users will be authenticated to reach the Microsoft Office 365 destination.
Both groups will be authenticated by XAUTH.
Guest users will be authenticated to reach the gmail.com destination.
Local users will be authenticated to reach the Microsoft Office 365 destination.
