Authentication: inability to distinguish groups on RADIUS server.
We are using RADIUS authentication with 2 different user groups set on the server. Firewall groups configured on FortiGate side are set to use the very same RADIUS server but different groups on that server. Fortinet RADIUS VSAs are imported to IAS, so when responding to authentication request for a user, RADIUS server correctly specifies the group name a user belongs to.
The problem is that while authenticating a user, firewall disregards a group name reported by RADIUS server back to firewall and only looks for whether it was " successful" or " failed" . As a result users are succefully authenticated regardless of any group they are member of on firewall if those groups are set to use the very same RADIUS server (as long as they provide correct logon credentials, of course).
Firewall - FG-310B, FortiOS 4.3.3
RADIUS - IAS on Windows 2003 R2 Server.
Both RADIUS groups are configured to support WiFi networking:
The first one for CAPTIVE Portal Authentication.
The second one for WPA2-Enterprise.
Is there any way to configure firewall to accept or reject user connections depending on RADIUS groups membership?
Thank you for any help.
I have spent some time about this issue and as a result i have noticed exactly the same behaviour as you described here. (fgt 310b, win 2008 nps). I simply was not able to force somehow the fortigate to deal with the radius attributes ( VSA and other like Class etc) and to distuingish 2 groups of wireless users and apply different set of firewall policies...
Did you succed finally succeed in this? I would still like to set this function up but i dont have a clue how to continue or what else to check and so... :(
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.