Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BleBla
New Contributor

Created on ‎11-18-2021 03:34 AM

Fortiauthenticator groups of vpn users and fortitoken timeout

Hello,

I have a problem with groups on fortiauthenticator for remote vpn users with fortitoken mobile.

 

On Fortiauthenticator I set "Remote User Sync Rule" for sync with remote LDAP group. Users have automaticaly assigned Fortitoken mobile and add them to the user group.
FAC is set as radius server in Fortigate. On Fortigate is set user group for authentication vpn users through FAC. If I don't specify group from FAC it works without problem.

But if I want to use group from FAC, it don't work. User enter his name and password for access to vpn, FAC send to him fortitoken push notification, he approve it and it finished with error fortitoken timeout.

On picture is what I mean.

 

FAC_groups.png

 

I need set different policy for groups of vpn users.

I don't know if it is fault in my setup or anything else.

Can somebody help me, please?

Thank you
BleBla

2132
0 Kudos
1 Solution
Debbie_FTNT
Staff
Staff

Created on ‎11-18-2021 04:34 AM

Hi @BleBla,

If you set the group in FortiGate to match the name "vpn_users_fortiauthenticator", then FortiGate expects FortiAuthenticator to send along a RADIUS attribute with this information upon successful user login.

Please try the following:
- edit the group in FortiAuthenticator
- at the bottom, add a RADIUS attribute
- select Fortinet as vendor, then 'Fortinet-Group-Name'
- as value, set your vpn_users_fortiauthenticator name, and save this

 

After this, in the FortiAuthenticator RADIUS policy, enable group filter in the realm selection, and set the vpn_users_fortiauthenticator group, and set the matching filter on FortiGate.
FortiAuthenticator should send along the Fortinet-Group-Name attribute for the FortiGate to match the group successfully.

Hope this helps :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

2128
3 REPLIES 3
Debbie_FTNT
Staff
Staff

Created on ‎11-18-2021 04:34 AM

Hi @BleBla,

If you set the group in FortiGate to match the name "vpn_users_fortiauthenticator", then FortiGate expects FortiAuthenticator to send along a RADIUS attribute with this information upon successful user login.

Please try the following:
- edit the group in FortiAuthenticator
- at the bottom, add a RADIUS attribute
- select Fortinet as vendor, then 'Fortinet-Group-Name'
- as value, set your vpn_users_fortiauthenticator name, and save this

 

After this, in the FortiAuthenticator RADIUS policy, enable group filter in the realm selection, and set the vpn_users_fortiauthenticator group, and set the matching filter on FortiGate.
FortiAuthenticator should send along the Fortinet-Group-Name attribute for the FortiGate to match the group successfully.

Hope this helps :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2129
BleBla
New Contributor
In response to Debbie_FTNT

Created on ‎11-18-2021 05:49 AM

Thank you Debbie, it works.

 

Have a nice day

BleBla

2084
0 Kudos
Debbie_FTNT
Staff
Staff
In response to BleBla

Created on ‎11-18-2021 06:59 AM

Thanks for the feedback, BleBla,

always happy to help :).

 

Cheers!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2075
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.