Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
julianhaines
New Contributor

Created on ‎02-16-2024 02:03 AM

VPN SSL-VPN -> LAN Firewall Policy

Hi,

FortiGate Firmware 7.2

 

I am trying to setup different VPN SSL-VPN -> LAN Firewall Policies for users so I can assign rules based on this, I have a unique Radius server for each user group and AD user groups see below.

 

VPNSSL to LAN.png

When I user connects how does the VPN know which to use for the user? will it pickup on the AD Group in the incoming Firewall policy or just use the first in the sequence?

Labels:
354
0 Kudos
4 REPLIES 4
ozkanaltas
Contributor III

Created on ‎02-16-2024 02:34 AM

Hello @julianhaines ,

 

As per your screenshot, the first user group in your rule is not the AD group. This is the FSSO group. Because of that, Fortigate just look radius group and Fortigate determines user is allowed for this traffic or not by radius group.

 

In my opinion, you should use just one authentication group (like a Radius, LDAP.. not FSSO) in your ssl-vpn rule.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
343
0 Kudos
adimailig
Staff
Staff

Created on ‎02-16-2024 03:22 AM


https://community.fortinet.com/t5/FortiGate/Technical-Tip-A-quick-guide-to-FortiGate-SSL-VPN-authent...

If no local user entry is found, FortiGate looks for any remote authentication servers that are included in the user groups – any LDAP or RADIUS authentication server in any user group in any SSLVPN policy. This can amount to several different servers.

FortiGate tries to authenticate the user against all possible authentication servers at once. There is no priority list at present (FortiOS 7.0.3) to influence in what order FortiGate checks credentials against authentication servers.

Note:

FortiGate checks against all possible authentication servers in parallel to allow the fastest possible response time and prevent undue wait times during login. It does NOT check against secondary server IPs: these are only queried if no response has been observed from primary servers at all. FortiGate will check the secondary servers once the remote authentication timeout has been reached ('remoteauthtimeout' under 'config system global' in CLI).

The FortiGate will accept the first successful reply from ANY of the possible servers. If the user is checked against two LDAP servers and two RADIUS servers at the same time, and one LDAP returns a successful reply first, then FortiGate will accept this and abandon the other authentication requests.

 

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**

Best Regards,

Arnold Dimailig
TAC Engineer
330
julianhaines
New Contributor
In response to adimailig

Created on ‎02-16-2024 04:16 AM

Thanks for the information, the VPN uses the Radius server to do 2-factor with DUO when users connect, what I have found is that I need to add the Radius server for the VPN out Firewall Policy as well or users can't connect to the VPN and by added this I can't filter the users as all the users groups are the same, the Radius Server

UserGroup.png

321
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎02-16-2024 08:57 AM Edited on ‎02-16-2024 03:49 PM

If the same username exists in both groups, you have to use "realm" to let the user specify which group to connect to. Otherwise, as @adimailig explained, the FGT asks both and takes the first successful return from the remote auth servers, and you don't have any control which one would authenticate.
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/724772/ssl-vpn-multi-realm

Toshi

291
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.