Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IT_TarOpo
New Contributor

Accessing SSID for certain groups

Hello.

I want to achieve a case, where users from certain group (Windows AD) can only access certain SSID.

 

At the moment I am authorizing all domain-users via Radius (+Windows AD) and they all can access all SSID.

I would like to get something like this,

Users from GroupA (AD Group) can access only SSID_A

Users from GroupB (AD Group) can access only SSID_B

 

Should I create on my NPS different Network Policies (and choose there GroupA/GroupB etc + in vendor specific select Attribute value as my AD GroupA) and then in Fortigate Users and Groups create Radius with group GroupB and finally in SSID_B use GroupB policy to authorize? (is it going to work?)

 

Found somethin in docs, https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/710485/restricting-radius-us...

4 REPLIES 4
jhussain_FTNT

 

Hi,

You can configure multiple NPS profile with different user group and configure the user group with vendor attribute with group Name and configure the Firewall user group on Fortigate with  radius with same attribute value  as per the document.

 https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/710485/restricting-radius-us...

Once you configure the user group , you can  configure the SSID and select authentication in the SSID profile with local and specify the group which you configured for each SSID (Group A -SSID A)/(Group b-SSID B)and apply the same in the policy as per the below document.

https://docs.fortinet.com/document/fortiap/6.4.0/fortiwifi-and-fortiap-cookbook/414919/wifi-with-wss...

 

Regards

Jamal

IT_TarOpo

Hello,

thanks for you reply.

That's exactly what I did, but unfortunately - it is not working. I am just wondering - do I have to have also AD-Group for those members? Or thats just NPS+Forti configuration, without touching AD and Groups?

I tried to do AD UG (group), put a member there,

GroupD.png

then in NPS, just allow UG, and in vendor specified UG,

GroupC.png

 

then Fortigate -> Radius Group -> Specify UG,

GroupA.png

 

SSID authorization WiFi_UG (thats my Radius authorization specified to UG)

GroupA.png

 

so yeah user ug123 should have access to UG_10 WiFi (because he is in UG group and NPS, it should work but it does not, that's why I am confused. I have a NPS policy just for domain users, and when I limit in Groups in Forti just to All (no specify group) it works, but it works in every SSID, and I would like to limit users->groups.

IT_TarOpo
New Contributor

BUMP, anyone?

jhussain_FTNT

Hi,

The user ug123 should be in the AD under group UG , not just adding the group name in the NPS profile.

 

If still not working ,kindly run the below debug logs and test with client connectivity.

 

diag debug application fnbamd -1

diag debug enable

 

Regards

Jamal

Labels
Top Kudoed Authors