Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
horinius
New Contributor

Created on ‎10-27-2019 09:21 AM

Is it impossible to have two Radius user groups with only one Radius server?

I already have a working SSL VPN for my users who are authenticated via Radius server in an Active Directory.

 

I want to create another user group so that they have a different access permission, something like this:

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-sslvpn-54/SSLVPN_Examples_54/Multi_G...

 

When I revise Radius settings in my FortiGate 80c, it seems to me that there is no way to have two groups using a single Radius server.  Am I correct?  Beside making a second Radius server, what other option do I have?

5744
0 Kudos
4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-27-2019 10:03 AM

The same user can belong to different groups. A radius server should be the same. The problem is how to get bound to a specific group (authenticatio rule) when a user tried to connect over SSL VPN. It would always use the first one, I believe. I'm not sure if it would try the next auth rule when the first one is denied by the radius. You can try though.

But an option to avoid that situation is to use realms like below:

https://docs.fortinet.com...72/ssl-vpn-multi-realm

3581
0 Kudos
horinius
New Contributor

Created on ‎10-28-2019 09:05 AM

I didn't talk about having the same user in two different groups!  What are you talking about?

3581
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to horinius

Created on ‎10-28-2019 09:17 AM

To have group users authenticated by a RADIUS server, you need to create a "group" [config user group] with the server created under [config user radius] as a member in the FGT. If you want to get two different user group member clients authenticated by the same server, you have to create two "group"s and put the same server as a member of both "group"s.

3581
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎10-28-2019 09:32 AM

I agreed with and one other option if you want to control different access is to use realms. This goes along way with dividing and control user access.

 

e.g

http://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3581
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.