Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sistemas_I68
New Contributor

Created on ‎02-05-2015 09:49 AM

static IP for a SSL VPN Client

Hi all.

I need to asign a static IP (i.e. allways the same IP) to each client in a SSL VPN. The only way I know for doing so is creating a different portal for each user... but I need about 50, and apparently the max is 10. Can anybody confirm me this limit? Is there any other way to fix a IP to a username?

 

Thanks in advance.

24386
0 Kudos
5 REPLIES 5
emnoc
Esteemed Contributor III

Created on ‎02-05-2015 11:51 AM

Don't know if radius and frame-address  ( a Type 8 attribute ) might be your solution,  but serious you have a identity based firewall, just allow the user access by policy and identity. That's  the  #1  advantage of a fortigate verse most other vendors, it's so simple to deploy id-fwpolicies.

 

if you have a support contract ask support if a frame-ip-address could be issued on behalf of the  radius server for the SSLVPN client. I myself have never of anybody doing this but that might be a solution and way better than trying to deploy 50+portals.

 

As a matter of fact, I think you even have limits on the number of sslvpn portals that you can create now that I think about it.

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
7669
0 Kudos
sistemas_I68
New Contributor

Created on ‎02-09-2015 09:41 AM

Hi again...

 

I need the fixed IP becaus I have to map printers and so on... 

I'm trying with the RADIUS (Still no luck) but thanks for the advice,

 

greetings.

7669
0 Kudos
Jirka1
Contributor III
In response to sistemas_I68

Created on ‎01-02-2017 02:16 AM

Hi guys, do you have any solution for this? I need asing about 40 static IP for SSL client.

 

Thanks so much.

7669
0 Kudos
AtiT
Valued Contributor
In response to Jirka1

Created on ‎02-04-2017 11:45 AM

Hi,

I don't know whether it helps.

I tried to set up this in the lab and was able to assign specific IP address to the client with the standard RADIUS attribute Framed-IP-Address.

So probably you will not be able to do this with local users.

 

However if you have a RADIUS you have to define the Framed-IP-Address attribute for all users and also the user group name is needed, so + add the Fortinet Vendor Specific Attribute - Fortinet-Group-Name.

 

I can imagine a situation that you will put all the users into one group but the users have specific IP addresses so you will create separate firewall rules for them and does not matter that they are in the same group.

 

You will have still to configure routing to ssl interface and also to select the IP range in the portal settings - MUST BE IN THE SAME IP RANGE AS THE USER'S ADDRESSES.

 

What you need is to change in the CLI is the addressing mode under the portal settings:

 

# set ip-mode ? range Use IP range. user-group Use framed IP defined with user group.

 

The default is range, you change it to user-group.

AtiT

AtiT
7669
0 Kudos
allenwu
New Contributor
In response to AtiT

Created on ‎07-29-2018 09:05 PM

Dear AtiT:

 

Can i ask the settings about Framed-IP-Address attribute on radius, how is the set ?

 

Thanks a lot

Allen

7669
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.