Microsoft L2TP IPSec VPN mutliple policies based on user?

nathan_emerson · ‎07-29-2015

Is anyone able to tell me if it is possible to configure an IPsec tunnel for Microsoft Dial-up clients that can apply different security policies based on user, group or some other factor?

We currently have the pretty standard tunnel configured as documented in the FortiOS Handbook IPsec VPN for FortiOS 5.0 guide on page 187. We are pointing to a firewall user group which is configured with a radius server that requires membership in a particular AD group (vpn.access) we have the 12356 1 and 3 vendor attributes configured on the radius server.

What we would like is to be able to apply different security policies to connecting users based on the AD group they belong to. So far as I can see however as there is a single group tied to the l2tp configuration we can't. In addition as there is only a single IP range given out to clients in the l2tp configuration we cannot base it on IP either. Is there some way to identify the users perhaps using xauth or RSSO and configure user identity based policies?

I know it can be and we have done this elsewhere with the SSL VPN, but this client would like to use l2tp which is still a step up from there current pptp solution.

Cheers,

Nathan Emerson

gschmitt · ‎07-29-2015

Can't you apply different UTM profiles in your IPsec Interface > internal policies with different source users?

I don't have much experience with IPSec VPN tbh and my test device is currently in prod

nathan_emerson · ‎07-30-2015

gschmitt wrote:
Can't you apply different UTM profiles in your IPsec Interface > internal policies with different source users?

I don't have much experience with IPSec VPN tbh and my test device is currently in prod

We have a policy based rather than interface based VPN as specified in the handbook, and in any case we have no way of identifying the users at this stage no user information comes with the connection. I was wondering if having RSSO setup would allow us to do just that?