Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bowen
New Contributor

SSL VPN and Multiple User Groups

Does anyone know if it is possible to use multiple authentication groups with the SSl VPN Portals. If I have a user that is a member of several Groups it always tries to use the first one it finds in the policy for authentication. I' ve tried enabling the auth-multi-group setting but it doesn' t seem to have any effect for the SSl VPN' s. Thanks for any help or advise.
5 REPLIES 5
rwpatterson
Valued Contributor III

Welcome to the forums. Personally, I only make users members of a single SSL VPN group in AD for that very reason.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
emnoc
Esteemed Contributor III

Can you clarify what your trying todo? If your looking at using multiple authentication methods radius vrs ldap, I think the 1st authentication method would be selected. Per the release notes on auth-multi-group, since you mention it.
Previously, when a user belonged to multiple user groups, this user could only access the group services that were within one group. With multiple group enforcement, a user can access the services within the groups that the user is part of. For example, userA belongs to user_group1, user_group2, user_group3, and user_group4; previously userA could only access services within one of those four groups, typically the group that matches the first security policy. This can be annoying if HTTP access is in user_group1, FTP access is in user_group2, and email access is in user_group3. Now userA can access services within user_group1, user_group2, user_group3, and user_group4. This feature is available only in the CLI and is enabled by default. It applies to RADIUS, LDAP, and TACACS+ servers. The new command for this feature is auth-multi-group found in config user settings and checks all groups a user belongs to for authentication.
Please clarify what your trying todo?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Sego
New Contributor II

Hi all and sorry for resurrecting old topic.

I have something similar to achieve. My goal is to create more than one group for VPN access.

1 for remote employees, 1 fore contractors, 1 for admins. Each group is going to have different level of access for network and hosts.

So, in Active Directory i will create group A, B and C and put users in those groups (none of users will be in multiple groups)

Create groups FG under "Users & auth." - User Groups and groups will be remote groups from AD. VNP - SSL VPN Settings - under Authentication/Portal Mapping throw and all 3 groups to proper portal. 

Create at least 3 policy-s so that users can connect and access allowed resources.

 

Is this idea ok or is there some another way to achieve goal?

Thank you!

 

CodeTron
New Contributor III

I have the same question :), did you get an answer for this?

Sego
New Contributor II

Hi,

yes it has been solved.

AD is needed, but mine was RADIUS server as an authentication service.

All groups intended for VPN needs to be mapped into portal, after that just put them into FW policy as intended.

Cheers!

Labels
Top Kudoed Authors