Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Authentication using RADIUS and LDAP


we use radius server for authenticating our ssl vpn internal users and LDAP for authentication our ssl external users.

on the firewall we only have user groups, and all the individual users then get created on Radius server or AD. 

my question is as a user try to login to vpn, how firewall as the endpoint that passing the authentication request to the external servers, know which group a user belongs to? or from what setting/conditions it knows it is an external user or internal.





It wouldn't know unless you separate them by realms. I would just look up (or down) the policies top to the bottom. So try the first first policy first then if not mach, try the second. Obviously takes longer time for the second group. I recommend using realms instead, which would be much cleaner to me.


we dont use realm (does it work with tunnel mode?)

as we don't have realm does it mean, does it mean firewall send the credentials to both Radius and LDAP servers concurrently?


It doesn't matter if tunnel mode or not to use realms. It's just a way to jump into a particular group and portal directly.

Although I haven't tested it, I don't think it would process two separate policies at the same time, but go one by one. You can easily test it by sniffing those auth request/reply packets.

Esteemed Contributor III

For OP


Can setup  authentication-rules?


example ( ignore my realm but if did realms that would be how you add it to the auth-rule )


config authentication-rule edit 1 set source-interface "wan1" set source-address "all" set groups "corpvpn" set portal "corpvpn" set realm "corpvpn" set client-cert enable set user-peer "windows-domain" next edit 2 set source-interface "wan1" set source-address "all" set groups "vpnusers1" set portal "full-access" set client-cert enable set user-peer "windows-domain" next end end




As far doing debug you can  run diag debug application sslvpnd -1 and look at what is being matched. Keep in mind auth-rules can get complicate and the results does not always match out to what you expect. Ensure you do diag and monitor  the logs when trouble shooting the rules


Ken Felix





PCNSE NSE StrongSwan

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors