Hello Guys,
I deployed two SSID in WPA2 Enterprise architecture with authentication on Windows Radius ( NPS ) as the link below and everything works ( https://docs.fortinet.com/document/fortiap/6.4.0/fortiwifi-and-fortiap-cookbook/414919/wifi-with-wss...
To differentiate groups on Windows AD I followed this guide ( https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/710485/restricting-radius-us... )
The FW sees the connected users as Wifi Single-Sign On
is it possible to group some account in different firewall policies ?
I have tried creating Radius type users on the FGT but it does not work.
Do you know if there is a way?
Thank you very much
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
(sorry about the late reply)
Not exactly.
With WSSO, the matched string sent from NPS is compared to the name of the group in your FortiGate (what you have in "RADIUS_WiFi_???"), and the group must be completely empty in the config. (no reference to any RADIUS server)
WSSO does not use the "Remote server" + "group name" options.
Hi Fabio,
Can you please clarify what you mean by "grouping accounts"? I'm not too sure what you mean by that. An example of what you're trying to achieve would help.
As for targetting individual users (re: "I have tried creating Radius type users"), please note that WSSO-style authentication only works with groups. It is not possible for it to target individual users. (unless you specifically create "personal groups" for users and advertise those in the Fortinet-Group-Name VSA sent by the NPS)
Hi pminarik,
In the group that I entered for authentication under the SSID and which calls up through the Fortinet-Group-Name VSA parameter the specific group in Windows Ad, there are all the accounts in the company, both managers and workers.
I would like to treat the two groups under different firewall policy in order to assign them specific permissions.
I didn't know it only works with groups, okay, but what kind of type group should it be ? Radius, ldap, local.. Should I indicate the path where the Group is located in the Active Directory ?
Hi Fabio,
WSSO groups are handled in an unusual way - you simply need an empty firewall-type group which does not link to or reference anything. The matching will be done purely based on the exact name of the group (must match the Fortinet-Group-Name string received).
Here's an old but good article which describes it - https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/640488/wifi-with-wsso-using-windows-nps-...
The group creation in FortiOS is described in step 5.
Maybe I understand.
I have to create two group that mapping two group in Windows AD tagged with VSA parameter ad hoc and this two fortinet group empty in two different firewall policy . Is it correct ?
Like this but X 2
where the tag NTL match the same in the FW group; one for Manager and another for WORK .
Both inside the SSID and then in the policy
(sorry about the late reply)
Not exactly.
With WSSO, the matched string sent from NPS is compared to the name of the group in your FortiGate (what you have in "RADIUS_WiFi_???"), and the group must be completely empty in the config. (no reference to any RADIUS server)
WSSO does not use the "Remote server" + "group name" options.
YES WORKS :)
in the SSID only the RADIUS and in the User Groups only the name that match the VSA parameter in Windows NPS, as the guide ..
( Here's an old but good article which describes it - https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/640488/wifi-with-wsso-using-windows-nps-...
The group creation in FortiOS is described in step 5. )
Of course in the NPS you have to create two or more Network Policy to match the Groups you want set in differents Firewall policy in FGT.
Thank you so Much
Fabio
this is the two user in different groups in windows AD
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.