Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
45-JTP
New Contributor

Created on ‎05-27-2024 03:34 AM Edited on ‎05-27-2024 03:44 AM

Client SSLVPN Pool

Hello gentlemen,

I need your help. I configured a SSLVPN as described in this article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-specific-SSL-VPN-address-...

It's setup with individual SSL-VPN portals, where each has it's own Source IP Pools.
SSL-VPN Settings are configured, so each User/Groups has it's own Portal.

SSLVPN client can connect, but they are not getting an IP address from the correct IP Pool.
I have check similar setups on other firewalls, and I am unable to spot the issue.

Any idea what I am missing?

Labels:
359
0 Kudos
1 Solution
Debbie_FTNT
Staff
Staff
In response to 45-JTP

Created on ‎05-27-2024 07:48 AM

Hey 45-JTP,

thanks for the screenshots!

Just to be sure - did you actually set the ranges in each individual portal?

Also - if your users match into a different group (like VPN_Alarm, instead of Vpn_HOOP), then a different portal would be applied than what you might intend, especially if your users are members of multiple groups that have VPN portals assigned.

You can find what group a user authenticated with (and thus which portal was assigned) in Event Logs > VPN; search for the user and find the tunnel setup success log, that should give you a group as well.

 

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

246
0 Kudos
6 REPLIES 6
45-JTP
New Contributor
In response to linoytu

Created on ‎05-27-2024 04:55 AM

Hi Linoytu
Thank you for the reply.
I have these 3 pools, but clients only get an IP from the first one name: "Clients_VPNs".
For the new setup, I want clients to get an IP from "HOOP_VPN_Pool".

 

SSLVPN-Pools.jpg

322
0 Kudos
hbac
Staff
Staff
In response to 45-JTP

Created on ‎05-27-2024 06:12 AM

Hi @45-JTP,

 

Do you have multiple SSLVPN portals for each IP pool? Are user groups mapped to the correct portals? 

 

Regards,

285
45-JTP
New Contributor
In response to hbac

Created on ‎05-27-2024 06:59 AM

Hi hbac

Yes, there is a portal for each of the pools. Portal.jpg


And groups are mapped to the Portal:

Groups.jpg

270
0 Kudos
Debbie_FTNT
Staff
Staff
In response to 45-JTP

Created on ‎05-27-2024 07:48 AM

Hey 45-JTP,

thanks for the screenshots!

Just to be sure - did you actually set the ranges in each individual portal?

Also - if your users match into a different group (like VPN_Alarm, instead of Vpn_HOOP), then a different portal would be applied than what you might intend, especially if your users are members of multiple groups that have VPN portals assigned.

You can find what group a user authenticated with (and thus which portal was assigned) in Event Logs > VPN; search for the user and find the tunnel setup success log, that should give you a group as well.

 

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
247
0 Kudos
45-JTP
New Contributor
In response to Debbie_FTNT

Created on ‎05-27-2024 10:34 AM

Hi Debbie
Portal for the "Hoop" clients look like thisPreview
Portal.jpg


But I figured it out...
This VPN_MFA_Radius-group was configured for the Radius, but "Group Name" was empty. Seems it overruled the rest, allowing clients to login, but giving them all an IP from the same pool.
After entering the NPS policy in the "Group Name" as in the picture below, it works.
GroupError.jpg


The Hoop clients get an IP from 10.40.41.x

CorrectPool.jpg

 

And when moving my test account, to another AD group, IP is also matching
CorrectPool-2.jpg

Thank you @Debbie_FTNT@hbac  & @Brunn3r for the support =0)

226
0 Kudos
Brunn3r
New Contributor III

Created on ‎05-27-2024 07:04 AM

What about this setting within the Portal:

 
 

tunnelmode.png

266
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.