IPsec access list based on user group

chocolateeater · ‎09-19-2022

Hi, all.

I'm new to Fortinet, having worked with other brands up til now.

I'm trying to get a new FortiGate 101F up and running, and I am now configuring IPSec tunneling using the FortiClient.

Is there a way to set access lists (network interface/subnets) based on user or user group? Can't seem to find any documentation on this, and unclear how this would be supported based on what I see when I configure the policy.

Thanks,

Chocolate Eater

pminarik · ‎09-28-2022

Once you switched to "inherit from policy", you need to make sure that any and all groups you want to be able to log into the VPN are listed in an active firewall policy in the tunnel->something direction.

[ corrections always welcome ]

View solution in original post

pminarik · ‎09-20-2022

If you're doing XAUTH or EAP authentication:

1, Leave the XAUTH/EAP group in phase1 configuration empty (CLI) or set it to "inherit from policy" (GUI).

2, Add the relevant group(s) in the firewall policies for <tunnel> -> <any desirable egress interface> policies.

=> As a result, the FortiGate will remember the users groups learned during IPsec authentication, and they can then be utilized to control access through policies.

[ corrections always welcome ]

chocolateeater · ‎09-27-2022

Hi, pminarik.

It makes sence what you're saying, but when I set to "Inherit from policy" in XAUTH, I get an authentication failure. Which also makes sence, since it has no user groups to authenticate against.

But I guess I'm missing something....?

pminarik · ‎09-28-2022

Once you switched to "inherit from policy", you need to make sure that any and all groups you want to be able to log into the VPN are listed in an active firewall policy in the tunnel->something direction.

[ corrections always welcome ]

IPsec access list based on user group

Nominate a Forum Post for Knowledge Article Creation