Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Steve_A
New Contributor

Created on ‎07-19-2021 07:54 AM

SSL VPN - RADIUS AUTH with LDAP USER GROUPS

Hello Guys,

 

I am a bit stuck on something I want to achieve, but not sure how to complete the required.

Please see the below low down:-

Successfully create a RADIUS and LDAP Server, with a successful query.

I have created two SSL VPN Portals

[ul]
  • Split Tunnel
  • Full Tunnel[/ul]

    From each of the portals I want the following to happen:-

    [ul]
  • Both Portals will use RADIUS Auth (this is key)
  • Split Tunnel Portal would use RADIUS AUTH[ul]
  • LDAP QUERY would look into AD and a users group Split_Tunnel would infact get Split Tunnel[/ul]
  • Full Tunnel Portal would use RADIUS AUTH[ul]
  • LDAP Query would look into AD and a user group Full_tunnel would route all traffic down the tunnel[/ul][/ul]

    Is it possible, for a RADIUS Auth user, to get the relevant SSL VPN Portal config, based on their LDAP query?

     

    I have achieved the above previously with Juniper/Pulse, but this is my first time trying with the Fortigate. Running latest version 7.0.1 (as 7.0 broken LDAP queries from the GUI and I was getting ldap-3) :) 

     

    Any help much appreciated!

    • 2304
    0 Kudos
    2 REPLIES 2
    yigiton
    New Contributor II

    Created on ‎01-15-2022 04:45 AM

    Hi

     

    You radius server check LDAP for authentication and return relevant group information. 

     

     

    1736
    0 Kudos
    Debbie_FTNT
    Staff
    Staff

    Created on ‎01-17-2022 07:17 AM

    Hey Steve,
    FortiGate would NOT perform an LDAP query after RADIUS auth.
    It would allow getting group information from the RADIUS reply itself and matching local user groups on FortiGate based on the RADIUS attributes. The SSLVPN portal (and split-tunneling) would be selected based on group information in the RADIUS reply.
    You might want to check this:
    https://community.fortinet.com/t5/FortiGate/Technical-Tip-A-quick-guide-to-FortiGate-SSL-VPN-authent...
    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Authentication-Remote-server-group-match-o...
    essentially:
    - ensure your RADIUS server response includes the Fortinet-Group-Name attribute
    -> depending on the RADIUS server, you can ensure that it includes the Fortinet-Group-Name based on LDAP group lookup (something roughly like this can be done on FortiAuthenticator, for example)
    - match into groups on FortiGate based on this attribute
    - match SSLVPN portal based on the group
    Fortinet RADIUS dictionary:
    https://community.fortinet.com/t5/FortiDDoS/Technical-Tip-Fortinet-RADIUS-attribute/ta-p/194896
    I hope that helps :)

    +++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
    1730
    0 Kudos
    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.