Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MohamedFawzi
New Contributor II

Created on ‎11-12-2023 08:50 AM

Fortiauth and Fotigate Specify groups

Hi everyone

i need someone to see what i am doing wrong

i have a fortiauth as a radius server , and the fortigate is a radius client.

i have many groups in the fortiauth.

when i create a group in hte fortigate using remote server fortiauth , there is two opitions (any, specify)

when using any everything works fine and good, but i want to specify certain groups for the policy

when i choose specify it gives me and emtpy tab to write a group with no choices , ive written one of the groups

manualy but when i try it gives me access deny from ssl portal

can anyone help me with that ?

thanks image.png

730
0 Kudos
1 Solution
ebilcari
Staff
Staff

Created on ‎11-12-2023 08:56 AM

For this to work you have to specify the group name as a RADIUS attribute in the FAC at the user/group level. Than FGT will match only the RADIUS responses that include the same Group Name (case sensitive)

group.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

720
3 REPLIES 3
ebilcari
Staff
Staff

Created on ‎11-12-2023 08:56 AM

For this to work you have to specify the group name as a RADIUS attribute in the FAC at the user/group level. Than FGT will match only the RADIUS responses that include the same Group Name (case sensitive)

group.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
721
MohamedFawzi
New Contributor II
In response to ebilcari

Created on ‎11-12-2023 09:06 AM

Thanks ,, it worked

but is there any easier way , i mean every time i want to make a group , i need to add it manually with case-sensitive , shouldn't the fortigate pull these ?

716
0 Kudos
ebilcari
Staff
Staff
In response to MohamedFawzi

Created on ‎11-13-2023 12:45 AM

I'm glad it worked for your setup.

These groups are communicated through RADIUS VSAs during authentication, there is no way to prepopulate these groups through RADIUS before the authentication happens. If you want a passive authentication method to use in firewall policies you can also explore FSSO and RSSO

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
687
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.