Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: How to user grouping on Forticlient IPSec VPN ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to user grouping on Forticlient IPSec VPN with Azure Entra ID
I really run out of idea on user grouping based on Azure Entra ID object ID.
I Follow the administration guide to prepare SSL VPN migrate to IPSec VPN with SAML
https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/951346/saml-based-authentica...
On phase 1 configuration I face EAP credential error
config vpn ipsec phase1-interface
edit "FCT_SAML"
set eap enable
set eap-identity send-request
next
endLook for lots of tech doc only this work
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Error-EAP-failure-with-IPsec-Dial-Up-VPN-u...
Which mean I had to define the user Group without any Entra Object ID to make user authenticate success or firewall policy with the user group without Entra ID object.
config vpn ipsec phase1-interface
|
So no issue getting user connect with FortiClient IPSec
diagnose vpn ike gateway list
vd: root/0 id/spi: 148531 |
but .......................
How to match or group user based on ingested Entra object id ?
if I define any object ID in the user group the EAP authentication will failed so i had to left it blank to make user connect success.
SAML Debug log
config user group |
Firewall policy wont work
p/s
1. Don't recommend local peer id as user/me has no time to manage it by each department/devices
2. Tried FSSO but there is limitation especial for those BYOD, since is not join domain so wont update netlogon to AD especial VVIP devices.
3. No TAC case is allow as no FortiClient license.
4. Really need interim solution before 7.4 EoE at March 2026.
5. No IKEv1 ( This feature requires FortiClient 7.2.4 and FortiClient supports only using IKEv2)
Labels:
- Labels:
-
FortiClient
-
FortiGate
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you do a, show user saml ?
L.E. I would suggest the following:
- ensure that under config user saml you have for group
i) either set group-name "group" , if you configured this and use this
ii) either set group-name "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" , this would be confirmed if required from here
iii) in your case you might use FortigateGroups and require set group-name FortigateGroups ? you would get more clarity about what to configure when you do a debug and see what saml attributes you get.
- in the phase1 , unset authusrgrp and use/create groups based on SAML which you add in firewall rules at the source alongside the ipsec range
"jack of all trades, master of none"
"jack of all trades, master of none"
Created on 10-12-2025 03:50 AM Edited on 10-12-2025 04:05 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| i) either set group-name "group" , if you configured this and use this |
Yes had ensure that, SAML is working authentication is working, SAML response with correct Entra Object ID too.
| ii) either set group-name "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" , this would be confirmed if required from here |
SAML did response back with the groups information
iii) in your case you might use FortigateGroups and require set group-name FortigateGroups ? you would get more clarity about what to configure when you do a debug and see what saml attributes you get.
|
Debug I run
diagnose debug application ike -1
diagnose debug application authd 60
diagnose debug application samld -1
diagnose debug application fnbamd -1
diagnose debug application eap_proxy -1
diagnose debug console timestamp enable
diagnose debug enable
| - in the phase1 , unset authusrgrp and use/create groups based on SAML which you add in firewall rules at the source alongside the ipsec range |
The authentication and SAML is work with unset authgroup but must define policy a firewall policy with the SAML user group
but the user group cannot contain any Entra object ID else will hit to this error
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Error-EAP-failure-with-IPsec-Dial-Up-VPN-u...
No matter how many user group I define with SSO and Entra ID object on firewall policy, user that success authenticated and success with IPSec will not category into user group, example SSLVPN
| SSL VPN User Grouping | FortiClient IPSEC |
| 10.99.98.1, test@limvuihan.com - this my SSLVPN segment type: fw, id: 0, duration: 961, idled: 0 expire: 28800, allow-idle: 28799 flag(80): sslvpn server: Azure packets: in 1288 out 1317, bytes: in 410818 out 135795 group_id: 2 4 group_name: Azure_All_User AZURE-IT | The only working is my FSSO identify me 10.99.99.1, LIMVUIHAN - this my IPSEC segment type: fsso, id: 0, duration: 42, idled: 8 server: FSSO packets: in 215 out 266, bytes: in 42001 out 73893 group_id: 28 24 33554794 33554588 33554440 33554435 33554786 33554732 |
As compare, the only different is the flag(80): sslvpn which IPSEC user doesnt flag as anything
Created on 10-12-2025 04:36 AM Edited on 10-12-2025 04:37 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
im confused.
you are not using Azure to auth users for both SSLVPN and IPsec ?
by your output, i would expect that a user group using Azure SAML Server and group AZURE-IT (maybe?) for SSLVPN and the same would/should work if you use the user group in the firewall rule for IPsec as source interface and in phase-1 unset/inherit from policy.
please do provide full output logs when you start a debug for both sslvpn and for ipsec, also the complete config for sslvpn and ipsec alongside , user saml / user groups and firewall policies.
feel free to mask any sensitive info.
"jack of all trades, master of none"
"jack of all trades, master of none"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both are use Azure SAML and no issue on authentication.
| SSLVPN | IPSEC | |
User Grouping | firewall able match username with the configured user group (contain Entra object ID) with the SAML responsed Entra Object ID | the SAML return the Entra Object ID but firewall doesnt match the username with the configured user group (contain Entra object ID) |
| Authentication
| For SSLVPN, firewall able authenticate user with multiple user group and different Entra Object ID | Unable authenticate user if there is Entra Object ID configure, else will prompt EAP error. So to make user success authenticate the work around is to accept any Entra Object ID |
Created on 10-12-2025 05:00 AM Edited on 10-12-2025 05:00 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
debug logs for ipsec saml auth would be nice to see either way.
"jack of all trades, master of none"
"jack of all trades, master of none"
Labels
-
FortiGate
10,698 -
FortiClient
2,184 -
FortiManager
898 -
5.2
687 -
FortiAnalyzer
685 -
5.4
638 -
FortiSwitch
592 -
FortiClient EMS
573 -
FortiAP
564 -
IPsec
428 -
6.0
416 -
SSL-VPN
387 -
FortiMail
374 -
5.6
362 -
FortiNAC
290 -
FortiWeb
254 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
200 -
FortiAuthenticator
181 -
FortiGuard
160 -
5.0
152 -
Firewall policy
146 -
FortiGate-VM
136 -
6.4
128 -
FortiCloud Products
117 -
FortiSIEM
114 -
FortiToken
114 -
FortiGateCloud
112 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
87 -
FortiProxy
79 -
ZTNA
77 -
Routing
75 -
SAML
74 -
Fortivoice
73 -
DNS
73 -
VLAN
73 -
FortiEDR
71 -
Authentication
70 -
BGP
70 -
FortiADC
68 -
Certificate
67 -
RADIUS
62 -
LDAP
61 -
FortiLink
57 -
NAT
55 -
SSO
54 -
FortiSandbox
53 -
FortiExtender
52 -
VDOM
50 -
4.0MR3
49 -
Interface
48 -
Application control
46 -
FortiDNS
43 -
Virtual IP
42 -
Logging
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
SSL SSH inspection
37 -
FortiConnect
35 -
Web profile
35 -
Automation
33 -
FortiWAN
31 -
FortiConverter
31 -
FortiGate v5.2
28 -
API
27 -
Traffic shaping
26 -
Static route
26 -
Fortigate Cloud
25 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
20 -
OSPF
20 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
FortiSoar
18 -
IP address management - IPAM
18 -
FortiDDoS
16 -
Explicit proxy
16 -
FortiAP profile
16 -
FortiGate v5.0
15 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiCASB
14 -
NAC policy
14 -
FortiManager v4.0
13 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2627 | |
| 1400 | |
| 810 | |
| 672 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.