Hi,
I am tring to set up SSL VPN to replace a current ASA solution in my company and I am encountering two issues:
1) I need to be able to give my VPN users different access rights (different subnets or servers), my users are all in the same subnet range SSL_VPN_ADDRESS, I will use only Tunneling mode without split tunnel (no web portal).
I set up my users (for test, two users localuser1 and localuser2 and 3 local groups: SSL_VPN_USERS DENAY_INTERNET and DENAY_LOCAL.
I make user1 and members of SSL_VPN_USERS and respectivly one of Denay Internet the other Denay local.
I make basic policy ssl.root -> Local and ssl.root->Internet to grant SSL_VPN_USERS access, I also create two policies (higer in the hirarchy) for Denay Internet and Denay local. I succesfully log on with user 1 and 2 but no restriction is applied, the only policy that is applied is the one that contains SSL_VPN_USERS. If I add this group to my "test denay policy" than it block it (but all users...).
Do I do something wong ? Or this is by design ? oit would not practical .. to say the most ...
2) I am planning to use radius and remote groups, so I test with radius ... All fine users can be authenticated by means of radius but .. when I try to use remote group ... problem .. If I define a policy that contain ssl.root as source interface than I CAN NOT add as source address my RSSO groups, I simply can not see them ... with other interfaces it is possible but of no use ...
Why ? How can I use remote groups ? Since I sucessfully configured the radous to pass by the right value (checked in debug).
Any help is appriciated as well as pointing out any KB cookcbook I may have misslooked...
P.S.
I can post the configuration if it can help...
Best Regards
Alessandro
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1) read this and see if Realm would work for your case. I think it does.
http://cookbook.fortinet.com/multi-realm-ssl-vpn/
2) I think you need to use an LDAP server to use groups on the Auth server. But if you implement realms above users specify which group and policy they're in.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.