We are using SSL VPN through Fortigate at the moment. We deployed FortiAuthenticator for 2FA which is working fine with Parallels RAS solution. Now we are going to enable 2FA for SSL VPN. At the moment Fortigate configured to allow only select AD groups for vpn access. If we are going to use FortiAuthenticator for SSL VPN where can I select user group so only those group members can access vpn.
Right now I imported users from AD group using Remote User Sync rules which imports all users group AD group and assign Fortitoken. We don't want all imported users to have VPN access. So how I can allow access to vpn for selected users.
Thank you.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey Arif,
if you're looking to use groups from FortiAuthenticator in FortiGate VPN authentication, especially to restrict, you should also consider the following:
- you can filter the RADIUS authentication policy on specific groups so only those users can authenticate in the first place
- you can create groups on FortiGate, add in a RADIUS server and define a match:
However, you need to ensure FortiAuthenticator sends along a RADIUS attribute to match this in FortiGate. FortiGate looks for the 'Fortinet-Group-Name' attribute, so you need to make a configuration like the following on FortiAuthenticator:
- add the attribute to the group
- filter on the group in FortiAuthenticator RADIUS policy
With that in place, FortiGate should receive the group attribute from FortiAuthenticator and match to the proper user groups on the FortiGate itself :)
Hi ArifS,
If I understood correctly what you're after, then this article has the answer:
Please check this and let me know.
Hi cchiriches
That's the settings I was looking for. I created group with only VPN user and now I can see in policy settings. Just need to test to see if it works.
Thanks
Hey Arif,
if you're looking to use groups from FortiAuthenticator in FortiGate VPN authentication, especially to restrict, you should also consider the following:
- you can filter the RADIUS authentication policy on specific groups so only those users can authenticate in the first place
- you can create groups on FortiGate, add in a RADIUS server and define a match:
However, you need to ensure FortiAuthenticator sends along a RADIUS attribute to match this in FortiGate. FortiGate looks for the 'Fortinet-Group-Name' attribute, so you need to make a configuration like the following on FortiAuthenticator:
- add the attribute to the group
- filter on the group in FortiAuthenticator RADIUS policy
With that in place, FortiGate should receive the group attribute from FortiAuthenticator and match to the proper user groups on the FortiGate itself :)
Created on 10-12-2022 02:38 AM Edited on 10-12-2022 02:39 AM
Hi Debbie
After creating group as per your instruction, resolves the issue and it only allows users to login who are member of the group however it still allows users to login with no Fortitoken assigned to that user. The Fortigate policy configured to user Mandatory Password & OTP but it still allows user without OTP. How do I deny access to the users who dont have fortitoken. I have same policy for RAS solution with same setting and it reject those users without fortitoken.
Thanks
Hi ArifS,
Are you sure the auth is going thru the FAC, thru the same policy?
Do you have other policies that would allow it?
Take a look here, radius debug and check that:
https://<FACIP>/debug/radius/
Does the successful login without the token show up in the event logs on the FAC?
GUI -> Log Access -> Log Access > Logs
Is it possible that you have the LDAP server configured on the FGT and the auth goes thru it and not thru FAC bypassing the 2fa?
Run this debug on the firewall before connecting, you should see the group/auth server:
diag debug console timestamp enable
diag debug app fnbamd -1
diagnose debug enable
Once auth goest thru, type "di de di" to stop it.
Let us know how it goes.
I can see failed log for the test user I tried to login so it does rejrect users with no fortitoken. So there must another policy in Fortigate which allows connection. I will check Fortigate and find out.
We found the policy configured on Fortigate allowing access to vpn. After disabling, it blocks access to user with no fortitoken.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.