Hello.
I want to achieve a case, where users from certain group (Windows AD) can only access certain SSID.
At the moment I am authorizing all domain-users via Radius (+Windows AD) and they all can access all SSID.
I would like to get something like this,
Users from GroupA (AD Group) can access only SSID_A
Users from GroupB (AD Group) can access only SSID_B
Should I create on my NPS different Network Policies (and choose there GroupA/GroupB etc + in vendor specific select Attribute value as my AD GroupA) and then in Fortigate Users and Groups create Radius with group GroupB and finally in SSID_B use GroupB policy to authorize? (is it going to work?)
Found somethin in docs, https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/710485/restricting-radius-us...
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
You can configure multiple NPS profile with different user group and configure the user group with vendor attribute with group Name and configure the Firewall user group on Fortigate with radius with same attribute value as per the document.
Once you configure the user group , you can configure the SSID and select authentication in the SSID profile with local and specify the group which you configured for each SSID (Group A -SSID A)/(Group b-SSID B)and apply the same in the policy as per the below document.
Regards
Jamal
Created on 03-31-2023 07:04 AM Edited on 03-31-2023 07:25 AM
Hello,
thanks for you reply.
That's exactly what I did, but unfortunately - it is not working. I am just wondering - do I have to have also AD-Group for those members? Or thats just NPS+Forti configuration, without touching AD and Groups?
I tried to do AD UG (group), put a member there,
then in NPS, just allow UG, and in vendor specified UG,
then Fortigate -> Radius Group -> Specify UG,
SSID authorization WiFi_UG (thats my Radius authorization specified to UG)
so yeah user ug123 should have access to UG_10 WiFi (because he is in UG group and NPS, it should work but it does not, that's why I am confused. I have a NPS policy just for domain users, and when I limit in Groups in Forti just to All (no specify group) it works, but it works in every SSID, and I would like to limit users->groups.
BUMP, anyone?
Hi,
The user ug123 should be in the AD under group UG , not just adding the group name in the NPS profile.
If still not working ,kindly run the below debug logs and test with client connectivity.
diag debug application fnbamd -1
diag debug enable
Regards
Jamal
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.