Technical Tip: Unable to match SSL firewall policy when user is part of multiple AD groups and SSL-VPN multi-realm is used

Anonymous · ‎10-19-2021

Description

This article describes how to resolve the issue when user being part of multiple groups in AD, is not matching SSL-VPN firewall policy which contains the LDAP user group of which the user is a part of.

1) Username 'user1' membership, part of groups A1,A2.

2) LDAP user groups.

3) SSL-VPN Firewall Policy with user 'user1' being part of A1 Group.

4) SSL VPN Setting where A2 is mapped to portal.User 'user1' is also part of A2 Group.

Related document.

https://docs.fortinet.com/document/fortigate/6.4.6/administration-guide/724772/ssl-vpn-multi-realm

Solution
To overcome the issue of the user not matching the SSL-VPN firewall policy we add the user group 'A1' to the same portal mapping where user group 'A2' is mapped.

From CLI.

# config vpn ssl settings

set servercert "self-sign"

set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

set source-interface "port2"

set source-address "all"

set source-address6 "all"

set default-portal "web-access"

# config authentication-rule

edit 1

set groups "A1" "A2"

set portal "full-access"

set realm "Realm1"

next

end

end

Note.

In this scenario realms and full tunnel are used.

Related Articles

Technical Tip: Creating sslvpn with multiple realms