IPSEC Dialup with multiple Radius Groups

mhe · ‎03-16-2023

Hello!

I have a Fortigate with 7.2.4 and many clients that make a dialup VPN with the Forticlient. Authentication works via XAUTH Radius through a OneSpan (formerly Vasco) Authenticator appliance - works fine.

Now I have a new requirement that some of these users must be able to access a specific network resource. Can I define multiple, separate dialup tunnels, which I distinguish via XAUTH? Or how do you handle such scenarios?

Greetings from Switzerland!
martin

akanibek · ‎03-16-2023

Dear Martin,

Since you are using Radius, you should be able to specify Radius Remote Groups on FGT.

Then, could you test with adding Radius Group Name attributes to Radius response from Radius Server, and adjust firewall policy for group, who should get access.

Asset

mhe · ‎03-16-2023

But how can I work with multiple groups when XAUTH only allows me to specify one group that is allowed to use this dialup tunnel?

akanibek · ‎03-20-2023

My bad, I mixed up with SSL VPN. I could see only one solution, as you explained.

Asset

sw2090 · ‎03-16-2023

couldn't you use the radius group in a policy too? There is options für litiming to users however I never used that with radius up to now (what could change hence we have a FortiAuthenticator now ;) )

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

IPSEC Dialup with multiple Radius Groups

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website