IPsec with multiple NPS groups

AEK · ‎08-25-2024

Hello FCT/FGT admins

I have FGT 7.2.9, FCT 7.4.0 (Windows, MacOS & Linux).

Trying to configure IPsec with IKEv2, with authentication from Windows NPS, to use multiple AD groups in different firewall policies (access based on group id).

The procedure is described in the below tech tip.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-multiple-groups-with-EAP-for-IK...

Basically the authentication is working fine when tested on a sample group, and remote user can connect properly.

The above tech tip mentioned the below tech tip to configure VSA attr on NPS for group matching.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FortiGate-and-Microsoft-NPS-Ra...

My problem is that I have multiple Windows groups (more than 10), and such case is not covered by the tech tip (only one group is given as example in the NPS tech tip). So I'm not sure but I'm afraid if it will require to configure 10 times the above config on NPS (for each group), and I hope it is not the case.

Any idea on the best and simplest way to configure NPS for multiple group matching?

AEK

Somashekara_Hanumant · ‎08-26-2024

Hi AEK,

As suggested on below article, need to configure multiple groups attributes on NPS server and also need to bind these groups on FGT.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FortiGate-and-Microsoft-NPS-Ra...

Hope this answers your question.

Regards,

Somu

EMEA Technical Support

AEK · ‎08-26-2024

Hello Somu

Thanks for your feedback.

Indeed it works, but what I mean is that with this method we have to create on Windows NPS as many network policies as the number of groups. If I have 100 groups I'll have to create 100 NPS network policies.

Is there a faster way to achieve it without creating all those NPS network policies?

AEK

Somashekara_Hanumant · ‎08-27-2024

Hello AEK,

No need to create multiple NPS policies, on the same policy you need to add multiple groups under Vendor Specific option, and bind these policies on FortiGate.

Regards,

Somu

EMEA Technical Support

AEK · ‎08-27-2024

Hi Somu

Thanks for your response.

But as I can see we cannot have multiple "Vendor-Specific" attributes to the same policy.

The screenshot shows the message when I try to do so. For me it seems logic, since it maps one defined AD group with one specific RADIUS "vendor-specific" response.

Or did I misunderstood your advice?

AEK

Somashekara_Hanumant · ‎08-27-2024

Hello AEK,

Please refer the below screen capture.

On the same vendor Specific you need to add multiple groups.

Hope this answers your question.

Regards

Somu

EMEA Technical Support

AEK · ‎08-27-2024

Oh you are right. Thanks Somu.

I guess I need also to add other Windows groups to the same policy right? (under the Conditions tab).

AEK

AEK · ‎08-27-2024

Hello Somu

I did as you said but unfortunately any user once connected is considered in all groups. Then they are matched by all my firewall policies that are having the groups as source.

Below a snapshot of credential test.

AEK

Somashekara_Hanumant · ‎08-27-2024

Hello AEK,

Request you to please open a web ticket, so that one of our engineer would be able to further assist you on this.

Regards,

Somu

EMEA Technical Support

AEK · ‎08-28-2024

Hi Somu

Thanks for your support so far.

For sure it was helpful to better understand how NPS works.

AEK

IPsec with multiple NPS groups

Nominate a Forum Post for Knowledge Article Creation