Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IT_TarOpo
New Contributor

Created on ‎03-29-2023 09:52 AM Edited on ‎03-29-2023 12:22 PM

Accessing SSID for certain groups

Hello.

I want to achieve a case, where users from certain group (Windows AD) can only access certain SSID.

 

At the moment I am authorizing all domain-users via Radius (+Windows AD) and they all can access all SSID.

I would like to get something like this,

Users from GroupA (AD Group) can access only SSID_A

Users from GroupB (AD Group) can access only SSID_B

 

Should I create on my NPS different Network Policies (and choose there GroupA/GroupB etc + in vendor specific select Attribute value as my AD GroupA) and then in Fortigate Users and Groups create Radius with group GroupB and finally in SSID_B use GroupB policy to authorize? (is it going to work?)

 

Found somethin in docs, https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/710485/restricting-radius-us...

Labels:
1391
0 Kudos
4 REPLIES 4
jhussain_FTNT
Staff
Staff

Created on ‎03-31-2023 05:09 AM

 

Hi,

You can configure multiple NPS profile with different user group and configure the user group with vendor attribute with group Name and configure the Firewall user group on Fortigate with  radius with same attribute value  as per the document.

 https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/710485/restricting-radius-us...

Once you configure the user group , you can  configure the SSID and select authentication in the SSID profile with local and specify the group which you configured for each SSID (Group A -SSID A)/(Group b-SSID B)and apply the same in the policy as per the below document.

https://docs.fortinet.com/document/fortiap/6.4.0/fortiwifi-and-fortiap-cookbook/414919/wifi-with-wss...

 

Regards

Jamal

1361
0 Kudos
IT_TarOpo
New Contributor
In response to jhussain_FTNT

Created on ‎03-31-2023 07:04 AM Edited on ‎03-31-2023 07:25 AM

Hello,

thanks for you reply.

That's exactly what I did, but unfortunately - it is not working. I am just wondering - do I have to have also AD-Group for those members? Or thats just NPS+Forti configuration, without touching AD and Groups?

I tried to do AD UG (group), put a member there,

GroupD.png

then in NPS, just allow UG, and in vendor specified UG,

GroupC.png

 

then Fortigate -> Radius Group -> Specify UG,

GroupA.png

 

SSID authorization WiFi_UG (thats my Radius authorization specified to UG)

GroupA.png

 

so yeah user ug123 should have access to UG_10 WiFi (because he is in UG group and NPS, it should work but it does not, that's why I am confused. I have a NPS policy just for domain users, and when I limit in Groups in Forti just to All (no specify group) it works, but it works in every SSID, and I would like to limit users->groups.

1356
0 Kudos
IT_TarOpo
New Contributor

Created on ‎04-04-2023 08:36 AM

BUMP, anyone?

1318
0 Kudos
jhussain_FTNT
Staff
Staff
In response to IT_TarOpo

Created on ‎04-05-2023 04:16 AM

Hi,

The user ug123 should be in the AD under group UG , not just adding the group name in the NPS profile.

 

If still not working ,kindly run the below debug logs and test with client connectivity.

 

diag debug application fnbamd -1

diag debug enable

 

Regards

Jamal

1299
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.