Fortiauth and Fotigate Specify groups

MohamedFawzi · ‎11-12-2023

Hi everyone

i need someone to see what i am doing wrong

i have a fortiauth as a radius server , and the fortigate is a radius client.

i have many groups in the fortiauth.

when i create a group in hte fortigate using remote server fortiauth , there is two opitions (any, specify)

when using any everything works fine and good, but i want to specify certain groups for the policy

when i choose specify it gives me and emtpy tab to write a group with no choices , ive written one of the groups

manualy but when i try it gives me access deny from ssl portal

can anyone help me with that ?

thanks

ebilcari · ‎11-12-2023

For this to work you have to specify the group name as a RADIUS attribute in the FAC at the user/group level. Than FGT will match only the RADIUS responses that include the same Group Name (case sensitive)

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

ebilcari · ‎11-12-2023

For this to work you have to specify the group name as a RADIUS attribute in the FAC at the user/group level. Than FGT will match only the RADIUS responses that include the same Group Name (case sensitive)

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

MohamedFawzi · ‎11-12-2023

Thanks ,, it worked

but is there any easier way , i mean every time i want to make a group , i need to add it manually with case-sensitive , shouldn't the fortigate pull these ?

ebilcari · ‎11-13-2023

I'm glad it worked for your setup.

These groups are communicated through RADIUS VSAs during authentication, there is no way to prepopulate these groups through RADIUS before the authentication happens. If you want a passive authentication method to use in firewall policies you can also explore FSSO and RSSO.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.