Hi there,
I'm wanting to configure my 30E so that minimal user management is done on the device itself, and instead as much as possible done via Windows Server AD mgmt, with RADIUS pass-through.
e.g. Instead of creating users ABC1, ABC2 etc. on the VPN, I'd like to specify only a single AD user group (e.g. "ABCUsers") with all members of that AD group allowed VPN access.
When ABC1 attempts to log in, the VPN would pass the credentials on to the Radius server, and would get a response back saying that either ABC1 is a member of the ABCUsers AD group, and that the supplied credentials are correct so a VPN session can be established, or kick them out.
Users would explictly log in via the Forticlient app login screen, not via SSO from the existing Windows session, as the VPN domain is sandboxed so AD syncing is out.
Please, can anyone advise me whether this configuration is possible or not?
I'm currently experimenting with the RADIUS attribute fields, but I'm not crystal clear on how they integrate with Fortinet groups, I'd really appreciate any advice on if what I've outlined is possible or not, before I throw lots of time at this one.
Thanks and kind regards
James
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
thanks for the link to the article Tomas, extemely helpful, will work through it next week!
Kind regards
James
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.