Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Sylvaner
New Contributor

SSLVPN - Use different portal for user in the 2 groups

 

Hello,

 

All my users are in a LDAP group "Users".
All my admins are in LDAP group "Admins" and "Users"

 

I have a SSL VPN portal for all users (Group Users).
I have created a specific portal for all admins.

But the admins are recognized like simple users.

 

They are a possibility to do this ? Because i tried to change order but nothing change, my admins are seen like simple users.

 

Thks

Sylvaner
Sylvaner
1 Solution
Toshi_Esumi
Esteemed Contributor III

There are more to have two user groups backed by one Auth server than just separate portals. You need to have separate policy sets after defining two different user groups.

But even if you do that, admin users might not be consistently recognized as admin users if the username is the same. Because the FGT asks authentication for all possible groups for SSL VPN even if they're authenticated by different auth servers. Then accepts the first affirmative reply.
Read the @Debbie_FTNT 's KB below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-A-quick-guide-to-FortiGate-SSL-VPN-authent...

So your option would be using "realms" so that the user can specify which group to log on by themselves, unless you can/want to define different usernames for admin users, like Sylvanar_a.

Below @fernandezm_FTNT's KB explain how to configure realm based SSL VPN in GUI.
https://community.fortinet.com/t5/Blogs/Deploying-SSL-VPNs-Using-Multiple-Realms/ba-p/238145

But it's basically the same with the old cookbook like below, which is based on CLI:
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/724772/ssl-vpn-multi-realm

Toshi

View solution in original post

2 REPLIES 2
Toshi_Esumi
Esteemed Contributor III

There are more to have two user groups backed by one Auth server than just separate portals. You need to have separate policy sets after defining two different user groups.

But even if you do that, admin users might not be consistently recognized as admin users if the username is the same. Because the FGT asks authentication for all possible groups for SSL VPN even if they're authenticated by different auth servers. Then accepts the first affirmative reply.
Read the @Debbie_FTNT 's KB below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-A-quick-guide-to-FortiGate-SSL-VPN-authent...

So your option would be using "realms" so that the user can specify which group to log on by themselves, unless you can/want to define different usernames for admin users, like Sylvanar_a.

Below @fernandezm_FTNT's KB explain how to configure realm based SSL VPN in GUI.
https://community.fortinet.com/t5/Blogs/Deploying-SSL-VPNs-Using-Multiple-Realms/ba-p/238145

But it's basically the same with the old cookbook like below, which is based on CLI:
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/724772/ssl-vpn-multi-realm

Toshi

Sylvaner
New Contributor

Thank you for your answer, i will try this.

Sylvaner
Sylvaner
Labels
Top Kudoed Authors