Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Vladimir_Ostrovsky
New Contributor

Way to propagate user identity between firewalls?

Good day,

Does anybody know about a way to utilize user/group identities of VPN clients on a FortiGate which is not their VPN gateway?

 

What I mean is:

[ul]
  • Let's say people connect by FortiClient to FortiGate1. It's very easy and handy to include their group identity in firewall policies on this very FortiGate, because it has authenticated & authorized them and it knows who they are.
  • But then their traffic is forwarded to FortiGate2. Which sees only source IP addresses and nothing more. So unless I assign each group of users VPN addresses from another range (which is very non-flexible and doesn't solve the case when a user belongs to multiple groups) - FortiGate2 has no way to differentiate between them.[/ul]

    Is there some new elegant technology to solve this, which I don't know about?

     

    Thanks,

    Vladimir.

  • 1 REPLY 1
    Fishbone_FTNT

    Hi Vladimir, you did not explain how users are logged in, but you  can use some sort of RADIUS accounting and RSSO on other Fortigates.

    This is generic and quite flexible and generic solution. You can do something very similar using FSSO on FortiAuthenticator as RSSO receiver, "translating" Radius Accounting into FSSO service.

    Cheers, Fishbone)(

    smithproxy hacker - www.smithproxy.org

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors