Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lessue
New Contributor

Authenticating SSL VPN with RADIUS using class 25 possible?

With AnyConnect it is possible to authenticate to RADIUS and let NPS handle which group-policy/tunnel-group the user should receive based on their rights in NPS. Is this possible with Fortigate SSL-VPN and is there anything special needed to configure this besides the NPS itself?

 

I can't seem to find any documentation about this type of implementation.

1 Solution
xsilver_FTNT
Staff
Staff

Hello,

it is possible to pair users to specific user group defined on FortiGate.

This pairing is for authentication done strictly through Fortinet-Group-Name VSA (vendor specific attribute) AVP (additional value pair).
Using anything else, like Class AVP, is not possible for active authentications.

 

More details about RADIUS Group Match, as the feature is usually called on FortiOS/FortiGate, kindly refer to this KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Authentication-Remote-server-group-match-o...

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

View solution in original post

3 REPLIES 3
xsilver_FTNT
Staff
Staff

Hello,

it is possible to pair users to specific user group defined on FortiGate.

This pairing is for authentication done strictly through Fortinet-Group-Name VSA (vendor specific attribute) AVP (additional value pair).
Using anything else, like Class AVP, is not possible for active authentications.

 

More details about RADIUS Group Match, as the feature is usually called on FortiOS/FortiGate, kindly refer to this KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Authentication-Remote-server-group-match-o...

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Lessue
New Contributor

Thank you. Another good link I found for matching the group is below.

 

Technical Tip: How to define group based authoriza... - Fortinet Community

xsilver_FTNT

Yes, good one as well, more oriented to NPS while my one was more on how FGT handles that and what is expected in RADIUS Access-Accept to make it working.
Both are good sources.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors