Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BleBla
New Contributor

Fortiauthenticator groups of vpn users and fortitoken timeout

Hello,

I have a problem with groups on fortiauthenticator for remote vpn users with fortitoken mobile.

 

On Fortiauthenticator I set "Remote User Sync Rule" for sync with remote LDAP group. Users have automaticaly assigned Fortitoken mobile and add them to the user group.
FAC is set as radius server in Fortigate. On Fortigate is set user group for authentication vpn users through FAC. If I don't specify group from FAC it works without problem.

But if I want to use group from FAC, it don't work. User enter his name and password for access to vpn, FAC send to him fortitoken push notification, he approve it and it finished with error fortitoken timeout.

On picture is what I mean.

 

FAC_groups.png

 

I need set different policy for groups of vpn users.

I don't know if it is fault in my setup or anything else.

Can somebody help me, please?

Thank you
BleBla

1 Solution
Debbie_FTNT
Staff
Staff

Hi @BleBla,

If you set the group in FortiGate to match the name "vpn_users_fortiauthenticator", then FortiGate expects FortiAuthenticator to send along a RADIUS attribute with this information upon successful user login.

Please try the following:
- edit the group in FortiAuthenticator
- at the bottom, add a RADIUS attribute
- select Fortinet as vendor, then 'Fortinet-Group-Name'
- as value, set your vpn_users_fortiauthenticator name, and save this

 

After this, in the FortiAuthenticator RADIUS policy, enable group filter in the realm selection, and set the vpn_users_fortiauthenticator group, and set the matching filter on FortiGate.
FortiAuthenticator should send along the Fortinet-Group-Name attribute for the FortiGate to match the group successfully.

Hope this helps :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

3 REPLIES 3
Debbie_FTNT
Staff
Staff

Hi @BleBla,

If you set the group in FortiGate to match the name "vpn_users_fortiauthenticator", then FortiGate expects FortiAuthenticator to send along a RADIUS attribute with this information upon successful user login.

Please try the following:
- edit the group in FortiAuthenticator
- at the bottom, add a RADIUS attribute
- select Fortinet as vendor, then 'Fortinet-Group-Name'
- as value, set your vpn_users_fortiauthenticator name, and save this

 

After this, in the FortiAuthenticator RADIUS policy, enable group filter in the realm selection, and set the vpn_users_fortiauthenticator group, and set the matching filter on FortiGate.
FortiAuthenticator should send along the Fortinet-Group-Name attribute for the FortiGate to match the group successfully.

Hope this helps :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
BleBla

Thank you Debbie, it works.

 

Have a nice day

BleBla

Debbie_FTNT

Thanks for the feedback, BleBla,

always happy to help :).

 

Cheers!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors