Description
This article describes the procedure to add multiple user groups in XAUTH in dial-up VPN.
Scope
FortiGate.
Solution
When any dial-up IPsec VPN configuration is created from the IPsec wizard, it will provide the option to add one user group only.
Upon editing the same VPN configuration (convert to Custom Tunnel), it will not be possible to add any multiple user groups, even if it is listed in drop-down under the XAUTH user group:
To add multiple user groups for XAUTH authentication, select Inherit from policy.
Edit: XAUTH: select the Type setting and select one of the following options:
- PAP Server - Password Authentication Protocol.
- CHAP Server - Challenge-Handshake Authentication Protocol.
IKEv2:
- For IKEv2, FortiClient will use EAP-MSCHAPv2.
- For this setup to work, the remote radius server must support EAP-MSCHAPv2 authentication (EAP-MS-CHAP) (Microsoft NPS for example).
After, create multiple firewall policies and apply user groups.
Specify destination addresses based on user group.
After, users will be connected and, based on user group and policy, will only have access to specific destinations.
- Two firewall policies were created, one for the Local User Group and the Guest User Group.
- Both groups will be authenticated by XAUTH.
- Guest users will be authenticated to reach the gmail.com destination.
- Local users will be authenticated to reach the Microsoft Office 365 destination.
Related article:
Technical Tip: Using group based firewall policy for Dial-Up VPN to restrict network access
