Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fhwn
New Contributor

IKEv2 Tunnel - Tunnels for different Usergroups

Hi How to set up this configuration correct? - Users should be able to dialin with IKEv2 - Different rights for different users - i dont care if i distinquish them by sourceip, user or group Since i found no way to distinquish between users i made two tunnels. The config for the tunnels is the same - only  "authusergroup" and the IP-Range is different. Authentication is via windows 2012R2 radius server.  I created two policies - each of them is sending different vsa-values for the Fortinet-Group-Name (boss and studnets). Authentication works - i see the sucessfull login in the logs. On the client-side login for the first tunnel (admins) works too - the second hangs at "Checking User Name" - the same behavior i had when i sent wrong values in the vsa-values. How to correctly configure these tunnel(s)??? I attached my config Hope you can help me Arnold config user radius     edit "myRadius"         set server "10.10.1.117"         set auth-type ms_chap_v2     next end config user group     edit "admins"         set member "myRadius"             config match                 edit 1                     set server-name "myRadius"                     set group-name "boss"                 next             end     next     edit "students"         set member "myRadius"             config match                 edit 1                     set server-name "myRadius"                     set group-name "students"                 next             end     next end config user peer     edit "admin_peer"         set ca "CA_Cert_1"     next     edit "student_peer"         set ca "CA_Cert_1"     next end config vpn ipsec phase1-interface     edit "IKE2_Admin"         set type dynamic         set interface "WAN"         set ike-version 2         set authmethod signature         set peertype peer         set mode-cfg enable         set ipv4-dns-server1 10.10.1.3         set ipv4-dns-server2 10.10.1.16         set proposal aes256-sha1 aes256-sha256 aes128-sha1 aes128-sha256         set dhgrp 2         set eap enable         set eap-identity send-request         set authusrgrp "admins"         set certificate "my_public_cert"         set peer "admin_peer"         set ipv4-start-ip 10.214.134.200         set ipv4-end-ip 10.214.134.210         set ipv4-split-include "LAN_ALL"     next end config vpn ipsec phase2-interface     edit "IKE2_Admin"         set phase1name "IKE2_Admin"         set proposal aes256-sha1 aes256-sha256 aes128-sha1 aes128-sha256         set dhgrp 2         set src-addr-type name         set dst-addr-type name         set src-name "LAN_ALL"         set dst-name "all"     next end config vpn ipsec phase1-interface     edit "IKE2_Students"         set type dynamic         set interface "WAN"         set ike-version 2         set authmethod signature         set peertype peer         set mode-cfg enable         set ipv4-dns-server1 10.10.1.3         set ipv4-dns-server2 10.10.1.16         set proposal aes256-sha1 aes256-sha256 aes128-sha1 aes128-sha256         set dhgrp 2         set eap enable         set eap-identity send-request         set authusrgrp "students"         set certificate "my_public_cert"         set peer "student_peer"         set ipv4-start-ip 10.215.134.200         set ipv4-end-ip 10.215.134.210         set ipv4-split-include "LAN_ALL"     next end config vpn ipsec phase2-interface     edit "IKE2_Students"         set phase1name "IKE2_Students"         set proposal aes256-sha1 aes256-sha256 aes128-sha1 aes128-sha256         set dhgrp 2         set src-addr-type name         set dst-addr-type name         set src-name "LAN_ALL"         set dst-name "all"     next end

4 REPLIES 4
rwpatterson
Valued Contributor III

Just a shot in the dark. Reverse the order of the two authentication policies and see if the behavior changes. I believe the problem is there.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
fhwn

Unfortunatly this dosnt matter.

The order of the tunnels in the firewall-config counts

 

Here Students can log in....

config vpn ipsec phase1-interface     edit "IKE2_Students"     edit "IKE2_admin"

Here Admins can log in....

config vpn ipsec phase1-interface

    edit "IKE2_admin"

    edit "IKE2_Students" Both Tunnels have the Same certificate-setting. But i dont want to use two different certificates/urls for students and admins.

I want one Config for the user to login - and depending on username the user should belong to a group i can use in firewall-rules

nothingel
New Contributor III

I am interested in this problem as well.  I have yet to find a perfect solution either.  Fortigate dial-up tunnels can be assigned IPs from RADIUS but sadly Windows IAS/NPS is not capable of handing out IP addresses from a pool.  I always find Windows' RADIUS to be so limiting.

 

If you were willing to have a different configuration per groups of people, you could require ID identifiers as a means to distinguish between groups of people.  Alternatively, if you have more than one IP, each instance of a dialup configuration could be bound to a different IP.

 

It would be nice if an unmatched group resulted in a "failed" connection rather than a hanging one.  I've seen this too.

fhwn
New Contributor

Have you got an working config for two user-groups?

 

How does this thing with IDs work?

 

I have multiple IPs, i can also create different certificates - but then i have to tell the different usergroups to use different configs to dial-in - this is why i don't like this solution (too many pitfalls for users -> too much work for me)

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors