- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Autoconnect IPSEC Entra AD
Hi
We are tying to setup the following: Autoconnect to IPsec VPN using Entra ID logon session information
We have the Client configured in EMS and able to connected to the IPSEC VPN, but how can you then control which logged in users have access via firewalls policies? I was thinking about using usergroups on firewall policies but this just doesnt seem to work, does any one have any experience of restricting the FW policies based on which users are in which groups in Entra??
Many Thanks
Solved! Go to Solution.
- Labels:
-
FortiClient
-
FortiClient EMS
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK so just an update to this for other peoeple who want to get this working:
1. Your Fortigate needs to be running at least 7.2.10 as there was a bug in earlier versions.
2. You need to remove the config option "set authusrgrp msgraph" on the ipsec phase1-interface
3. You then need to create groups for each user group that you want to apply to firewall policies
config user group
edit "group1"
set member "msgraph"
config match
edit 1
set server-name "msgraph"
set group-name "363a72ce-d2c7-4758-9d25-5485789e4043"
next
end
next
edit "group2"
set member "msgraph"
config match
edit 1
set server-name "msgraph"
set group-name "38f658d9-c3c2-4a8c-b4d0-d809d42fc31e"
next
end
next
end
4. Then just apply the groups to the relevant FW policies.
Hope this helps :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can make multiple User Groups in the Firewall, but when selecting the SAML server you have the option to specify a group ID that will correlate with a group ID in Azure. This is how you can match different Entra ID groups to different Firewall Groups.
See: https://docs.fortinet.com/document/fortigate-public-cloud/7.6.0/azure-administration-guide/584456/co...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks but that is using SAML with SSL-VPN. We are using always on IPSEC with Entra.
following this link to do the authentication is what we are using, but its just not playing ball.
https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/33053
Seeing constant certificate warnings when trying pass user traffic through the firewall policies.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have attached a screenshot of what I am referring to (group name is the group ID in Entra ID). This is on the Firewall Group itself.
I don't think the document you shared is applicable for our situation (we are VPN, that .document is for on-prem)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, It didn't attach >_<
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK so just an update to this for other peoeple who want to get this working:
1. Your Fortigate needs to be running at least 7.2.10 as there was a bug in earlier versions.
2. You need to remove the config option "set authusrgrp msgraph" on the ipsec phase1-interface
3. You then need to create groups for each user group that you want to apply to firewall policies
config user group
edit "group1"
set member "msgraph"
config match
edit 1
set server-name "msgraph"
set group-name "363a72ce-d2c7-4758-9d25-5485789e4043"
next
end
next
edit "group2"
set member "msgraph"
config match
edit 1
set server-name "msgraph"
set group-name "38f658d9-c3c2-4a8c-b4d0-d809d42fc31e"
next
end
next
end
4. Then just apply the groups to the relevant FW policies.
Hope this helps :)