Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SSL VPN doesn't recognize LDAP groups correctly

Hi, I want to configure SSL VPN web and tunnel access using two LDAP AD groups.


Group A -> I assing them WebPortal "A" with certain bookmarks and particular IP Subnetting.

Group B -> I assing them another WebPortal "B" with other bookmarks and other particular IP Subnetting.


All the configuration works OK (as descrived) with fortigate local users.

I have configured SSL VPN settings, Portals, bookmarks, groups, ldap server ,etc etc...


But.. when I user LDAP users:

the users can login but fortigate didn't recognize the group membership.

After loged in .. All domain users view the same Web Access Portal and get the same configuration with tunnel access using forticlient.


The fortigate is a 60E model with 6.0.2 firmware build 0163.


Can you help me? I don't know which could be the problem  :$










Contributor II

You need tow ssl vpn portals with different Source IP Pools (address objects). Also you need to create tow user groups and at the ssl-vpn settings you have to assign each group one portal. At ssl-vpn settings also add the appropriate ip ranges. Lastly, you have to create ipv4 policy to allow traffic from vpn (specific group/ip pool/portal) to your desired destination networks or address objects.

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator

Hi, thank you for answering. Yes I done those configurations (groups, different IP sources, different portals, ,etc).

All those configurationws works perfectly with local users (fortigate users). But, when I use Active directory users (whose are in those groups two) don't work. They can login but all enter in the same portal, same subnet ,etc..


Try the following:

conf user ldap

edit <your-ldap-server>

set group-member-check group-object




Also, if you have a Radius server configured, remove it or make the conf invalid (set wrong ip etc) and try ldap again. I have an ongoing ticket with TAC about this, radius auth is chosen in my fw even though users use ldap.


Good luck.



Richie NSE7

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors