Fortinet Community

bowen · ‎09-20-2012

Does anyone know if it is possible to use multiple authentication groups with the SSl VPN Portals. If I have a user that is a member of several Groups it always tries to use the first one it finds in the policy for authentication. I' ve tried enabling the auth-multi-group setting but it doesn' t seem to have any effect for the SSl VPN' s. Thanks for any help or advise.

rwpatterson · ‎09-22-2012

Welcome to the forums. Personally, I only make users members of a single SSL VPN group in AD for that very reason.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

emnoc · ‎09-22-2012

Can you clarify what your trying todo? If your looking at using multiple authentication methods radius vrs ldap, I think the 1st authentication method would be selected. Per the release notes on auth-multi-group, since you mention it.

Previously, when a user belonged to multiple user groups, this user could only access the group services that were within one group. With multiple group enforcement, a user can access the services within the groups that the user is part of. For example, userA belongs to user_group1, user_group2, user_group3, and user_group4; previously userA could only access services within one of those four groups, typically the group that matches the first security policy. This can be annoying if HTTP access is in user_group1, FTP access is in user_group2, and email access is in user_group3. Now userA can access services within user_group1, user_group2, user_group3, and user_group4. This feature is available only in the CLI and is enabled by default. It applies to RADIUS, LDAP, and TACACS+ servers. The new command for this feature is auth-multi-group found in config user settings and checks all groups a user belongs to for authentication.

Please clarify what your trying todo?

PCNSE

NSE

StrongSwan

Fortinet Community

SSL VPN and Multiple User Groups