Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
horinius
New Contributor

Is it impossible to have two Radius user groups with only one Radius server?

I already have a working SSL VPN for my users who are authenticated via Radius server in an Active Directory.

 

I want to create another user group so that they have a different access permission, something like this:

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-sslvpn-54/SSLVPN_Examples_54/Multi_G...

 

When I revise Radius settings in my FortiGate 80c, it seems to me that there is no way to have two groups using a single Radius server.  Am I correct?  Beside making a second Radius server, what other option do I have?

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor III

The same user can belong to different groups. A radius server should be the same. The problem is how to get bound to a specific group (authenticatio rule) when a user tried to connect over SSL VPN. It would always use the first one, I believe. I'm not sure if it would try the next auth rule when the first one is denied by the radius. You can try though.

But an option to avoid that situation is to use realms like below:

https://docs.fortinet.com...72/ssl-vpn-multi-realm

horinius
New Contributor

I didn't talk about having the same user in two different groups!  What are you talking about?

Toshi_Esumi
Esteemed Contributor III

To have group users authenticated by a RADIUS server, you need to create a "group" [config user group] with the server created under [config user radius] as a member in the FGT. If you want to get two different user group member clients authenticated by the same server, you have to create two "group"s and put the same server as a member of both "group"s.

emnoc
Esteemed Contributor III

I agreed with and one other option if you want to control different access is to use realms. This goes along way with dividing and control user access.

 

e.g

http://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors