Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jimmyb
New Contributor

Radius pass-through VPN auth?

Hi there,

I'm wanting to configure my 30E so that minimal user management is done on the device itself, and instead as much as possible done via Windows Server AD mgmt, with RADIUS pass-through.

 

e.g. Instead of creating users ABC1, ABC2 etc. on the VPN, I'd like to specify only a single AD user group (e.g. "ABCUsers") with all members of that AD group allowed VPN access.

 

When ABC1 attempts to log in, the VPN would pass the credentials on to the Radius server, and would get a response back saying that either ABC1 is a member of the ABCUsers AD group, and that the supplied credentials are correct so a VPN session can be established, or kick them out.

 

Users would explictly log in via the Forticlient app login screen, not via SSO from the existing Windows session, as the VPN domain is sandboxed so AD syncing is out.

 

Please, can anyone advise me whether this configuration is possible or not?

 

I'm currently experimenting with the RADIUS attribute fields, but I'm not crystal clear on how they integrate with Fortinet groups, I'd really appreciate any advice on if what I've outlined is possible or not, before I throw lots of time at this one.

 

Thanks and kind regards

 

James

 

3 REPLIES 3
xsilver_FTNT
Staff
Staff

Hi James,   I hope you'll find RADIUS group match and attribute usage clearly described in KB I wrote long time ago but is still valid. FD36464

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

jimmyb

thanks for the link to the article Tomas, extemely helpful, will work through it next week!

 

Kind regards

 

James

jeroen_bellaart

Hello, Is it possible to post config for 3rd party radius (eset 2fa) for sslvpn configuration and second Auth on policy by ldap? As mentioned: If you need chained authentication towards 3rd party LDAP and another 3rd party RADIUS (two different servers), like users in LDAP and tokens in RSA, then this is supported on FortiAuthenticator, only. My setup is as follows: Fgt 6.0.5, fac 6.0.2 with 3rd party radius eset 2fa and ms ldap. Many thanks! Regards, Jeroen
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors