Hi everyone, I have a Fortigate 80E running on 6.2.3 . I have configured SSL VPN for remote users access, installed signed certificate and tested - running ok . Tunnel mode & web mode both OK. Then I configured 2 Portals : 1st is for Admins (tunnel and web) - there is a IPv4 policy in place which grants them access to all the subnets and another one for Internet Access. User accounts are created locally on the firewall. 2nd is for Corprorate users access which are authenticating against a RADIUS server. There is a dedicated IPv4 policy in place which grants them access to required internal resources and another one for Internet access.
Issue: ALL users are authenticated against 1st portal from the list - RA management portal and IP addresses are assigned from RA for Admins Pool. ( both scenarios tested - Forticlient or Web based VPN).
Any ideea how can I have dedicated portals for each group ?
Kind regards, Adi
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
have you looked at realms? This should give you want you need.
https://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html
I like to use them just for what you describe for separation of protals and auth rules. Or for different language support for web-portals.
Ken Felix
PCNSE
NSE
StrongSwan
You've probably resolved this, but let me add one point. We do the same thing as you're trying but we use different URL and realm for each portal as already pointed out. We also use separate IP pools but that's just for logging purposes. We use group membership on the policies to control access. I don't think you can use the client IP's in your policies successfully - and if you can I'd really like to talk to you about that! I've spent a bunch of time experimenting with no success on that.
FYI, we had to upgrade from 5.4.8 to 6.0 to get the group membership on policies to be evaluated properly. I know nothing about whether it works in 6.2. I hope so because we'll need it when we go to 6.2.
...Fred
have you looked at realms? This should give you want you need.
https://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html
I like to use them just for what you describe for separation of protals and auth rules. Or for different language support for web-portals.
Ken Felix
PCNSE
NSE
StrongSwan
You've probably resolved this, but let me add one point. We do the same thing as you're trying but we use different URL and realm for each portal as already pointed out. We also use separate IP pools but that's just for logging purposes. We use group membership on the policies to control access. I don't think you can use the client IP's in your policies successfully - and if you can I'd really like to talk to you about that! I've spent a bunch of time experimenting with no success on that.
FYI, we had to upgrade from 5.4.8 to 6.0 to get the group membership on policies to be evaluated properly. I know nothing about whether it works in 6.2. I hope so because we'll need it when we go to 6.2.
...Fred
@ Ken and Fred - thanks to pointing me to this approach. I will need web and tunnel for 1st portal and tunnel for 2nd portal - users.
@ Ken - congratulations for you blog, it's impressive ! Thanks for sharing all that knowledge with everyone.
Up to this moment I couldn't do any tests as the FW is in production , but I will give a try as I haven't configured HA and I still have a 80E available.
Kind regards,
Adi
That was easy, if you know what you have to do !
Firewall rules are very important, I had to create 2 for each realm , one for Internet access and one for internal corporate access.
Works on FortiOs 6.2.3 with a HA cluster on 80E.
Kind regards,
Adi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.