Hi,
FortiGate Firmware 7.2
I am trying to setup different VPN SSL-VPN -> LAN Firewall Policies for users so I can assign rules based on this, I have a unique Radius server for each user group and AD user groups see below.
When I user connects how does the VPN know which to use for the user? will it pickup on the AD Group in the incoming Firewall policy or just use the first in the sequence?
Hello @julianhaines ,
As per your screenshot, the first user group in your rule is not the AD group. This is the FSSO group. Because of that, Fortigate just look radius group and Fortigate determines user is allowed for this traffic or not by radius group.
In my opinion, you should use just one authentication group (like a Radius, LDAP.. not FSSO) in your ssl-vpn rule.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-A-quick-guide-to-FortiGate-SSL-VPN-authent...
If no local user entry is found, FortiGate looks for any remote authentication servers that are included in the user groups – any LDAP or RADIUS authentication server in any user group in any SSLVPN policy. This can amount to several different servers.
FortiGate tries to authenticate the user against all possible authentication servers at once. There is no priority list at present (FortiOS 7.0.3) to influence in what order FortiGate checks credentials against authentication servers.
Note:
FortiGate checks against all possible authentication servers in parallel to allow the fastest possible response time and prevent undue wait times during login. It does NOT check against secondary server IPs: these are only queried if no response has been observed from primary servers at all. FortiGate will check the secondary servers once the remote authentication timeout has been reached ('remoteauthtimeout' under 'config system global' in CLI).
The FortiGate will accept the first successful reply from ANY of the possible servers. If the user is checked against two LDAP servers and two RADIUS servers at the same time, and one LDAP returns a successful reply first, then FortiGate will accept this and abandon the other authentication requests.
**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
Thanks for the information, the VPN uses the Radius server to do 2-factor with DUO when users connect, what I have found is that I need to add the Radius server for the VPN out Firewall Policy as well or users can't connect to the VPN and by added this I can't filter the users as all the users groups are the same, the Radius Server
If the same username exists in both groups, you have to use "realm" to let the user specify which group to connect to. Otherwise, as @adimailig explained, the FGT asks both and takes the first successful return from the remote auth servers, and you don't have any control which one would authenticate.
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/724772/ssl-vpn-multi-realm
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.