Hello gentlemen,
I need your help. I configured a SSLVPN as described in this article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-specific-SSL-VPN-address-...
It's setup with individual SSL-VPN portals, where each has it's own Source IP Pools.
SSL-VPN Settings are configured, so each User/Groups has it's own Portal.
SSLVPN client can connect, but they are not getting an IP address from the correct IP Pool.
I have check similar setups on other firewalls, and I am unable to spot the issue.
Any idea what I am missing?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey 45-JTP,
thanks for the screenshots!
Just to be sure - did you actually set the ranges in each individual portal?
Also - if your users match into a different group (like VPN_Alarm, instead of Vpn_HOOP), then a different portal would be applied than what you might intend, especially if your users are members of multiple groups that have VPN portals assigned.
You can find what group a user authenticated with (and thus which portal was assigned) in Event Logs > VPN; search for the user and find the tunnel setup success log, that should give you a group as well.
Cheers,
Debbie
Hi Linoytu
Thank you for the reply.
I have these 3 pools, but clients only get an IP from the first one name: "Clients_VPNs".
For the new setup, I want clients to get an IP from "HOOP_VPN_Pool".
Hi @45-JTP,
Do you have multiple SSLVPN portals for each IP pool? Are user groups mapped to the correct portals?
Regards,
Hi hbac
Yes, there is a portal for each of the pools.
And groups are mapped to the Portal:
Hey 45-JTP,
thanks for the screenshots!
Just to be sure - did you actually set the ranges in each individual portal?
Also - if your users match into a different group (like VPN_Alarm, instead of Vpn_HOOP), then a different portal would be applied than what you might intend, especially if your users are members of multiple groups that have VPN portals assigned.
You can find what group a user authenticated with (and thus which portal was assigned) in Event Logs > VPN; search for the user and find the tunnel setup success log, that should give you a group as well.
Cheers,
Debbie
Hi Debbie
Portal for the "Hoop" clients look like thisPreview
But I figured it out...
This VPN_MFA_Radius-group was configured for the Radius, but "Group Name" was empty. Seems it overruled the rest, allowing clients to login, but giving them all an IP from the same pool.
After entering the NPS policy in the "Group Name" as in the picture below, it works.
The Hoop clients get an IP from 10.40.41.x
And when moving my test account, to another AD group, IP is also matching
Thank you @Debbie_FTNT, @hbac & @Brunn3r for the support =0)
What about this setting within the Portal:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.