We are using a FortiGate appliance as VPN gateway, which rely on a FortiAuthenticator to store account information. The accounts are created and stored on the FortiAuthenticator, not on any other LDAP or AD thing.
FortiOS 7.0.13 + FortiAuthenticator 6.5.1.
Now we need to create a temporary VPN account for some specific user to do some specific operations, for a period of time only. Since this is a very specific use case scenario, we hope to restrict that, this temp VPN account can only be connected from pre-defined Internet client IP addresses 10.0.0.1, like a IP white list.
We did found some IP restriction features:
But they seem to be global restriction that apply to all VPN user accounts.
Can we apply this IP 192.168.0.1 restriction to specific VPN accounts only? i.e. other VPN accounts can still be connected from any IP address.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can restrict at firewall policy level, without changing anything to your VPN configuration, by adding this VPN group and the IP whitelist group as source address in a dedicated policy.
Like this, if the related users connect to VPN from allowed IP they can access to the allowed resources, while if they try connect from non-whitelisted IPs they can connect but can't access the resources.
Hi @timbu,
You are right. It is a global setting. If you want to create a whitelist, you need to specify all clients IP address in that list.
Regards,
Hello @timbu ,
I think you can use Radius attributes for this request. On FortiAuthenticator Radius Policy, you can configure "Framed-IP-Address" or "Calling-Station-Id" in a Radius Attribute Criteria tab. These attributes are sent from Fortigate to FortiAuthenticator with your client's public IP address. If the user group and IP address are not matched in the radius policy your temp client can't connect ssl-vpn. Also, other clients can still connect. Because their radius policy will be different.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.