Hello FCT/FGT admins
I have FGT 7.2.9, FCT 7.4.0 (Windows, MacOS & Linux).
Trying to configure IPsec with IKEv2, with authentication from Windows NPS, to use multiple AD groups in different firewall policies (access based on group id).
The procedure is described in the below tech tip.
Basically the authentication is working fine when tested on a sample group, and remote user can connect properly.
The above tech tip mentioned the below tech tip to configure VSA attr on NPS for group matching.
My problem is that I have multiple Windows groups (more than 10), and such case is not covered by the tech tip (only one group is given as example in the NPS tech tip). So I'm not sure but I'm afraid if it will require to configure 10 times the above config on NPS (for each group), and I hope it is not the case.
Any idea on the best and simplest way to configure NPS for multiple group matching?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi AEK,
As suggested on below article, need to configure multiple groups attributes on NPS server and also need to bind these groups on FGT.
Hope this answers your question.
Regards,
Somu
Hello Somu
Thanks for your feedback.
Indeed it works, but what I mean is that with this method we have to create on Windows NPS as many network policies as the number of groups. If I have 100 groups I'll have to create 100 NPS network policies.
Is there a faster way to achieve it without creating all those NPS network policies?
Hello AEK,
No need to create multiple NPS policies, on the same policy you need to add multiple groups under Vendor Specific option, and bind these policies on FortiGate.
Regards,
Somu
Hi Somu
Thanks for your response.
But as I can see we cannot have multiple "Vendor-Specific" attributes to the same policy.
The screenshot shows the message when I try to do so. For me it seems logic, since it maps one defined AD group with one specific RADIUS "vendor-specific" response.
Or did I misunderstood your advice?
Hello AEK,
Please refer the below screen capture.
On the same vendor Specific you need to add multiple groups.
Hope this answers your question.
Regards
Somu
Oh you are right. Thanks Somu.
I guess I need also to add other Windows groups to the same policy right? (under the Conditions tab).
Hello Somu
I did as you said but unfortunately any user once connected is considered in all groups. Then they are matched by all my firewall policies that are having the groups as source.
Below a snapshot of credential test.
Hello AEK,
Request you to please open a web ticket, so that one of our engineer would be able to further assist you on this.
Regards,
Somu
Hi Somu
Thanks for your support so far.
For sure it was helpful to better understand how NPS works.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1717 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.