Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lessue
New Contributor

Created on ‎12-01-2021 06:31 AM

Authenticating SSL VPN with RADIUS using class 25 possible?

With AnyConnect it is possible to authenticate to RADIUS and let NPS handle which group-policy/tunnel-group the user should receive based on their rights in NPS. Is this possible with Fortigate SSL-VPN and is there anything special needed to configure this besides the NPS itself?

 

I can't seem to find any documentation about this type of implementation.

Labels:
2926
0 Kudos
1 Solution
xsilver_FTNT
Staff
Staff

Created on ‎12-01-2021 08:12 AM Edited on ‎12-01-2021 08:13 AM

Hello,

it is possible to pair users to specific user group defined on FortiGate.

This pairing is for authentication done strictly through Fortinet-Group-Name VSA (vendor specific attribute) AVP (additional value pair).
Using anything else, like Class AVP, is not possible for active authentications.

 

More details about RADIUS Group Match, as the feature is usually called on FortiOS/FortiGate, kindly refer to this KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Authentication-Remote-server-group-match-o...

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

View solution in original post

2913
3 REPLIES 3
xsilver_FTNT
Staff
Staff

Created on ‎12-01-2021 08:12 AM Edited on ‎12-01-2021 08:13 AM

Hello,

it is possible to pair users to specific user group defined on FortiGate.

This pairing is for authentication done strictly through Fortinet-Group-Name VSA (vendor specific attribute) AVP (additional value pair).
Using anything else, like Class AVP, is not possible for active authentications.

 

More details about RADIUS Group Match, as the feature is usually called on FortiOS/FortiGate, kindly refer to this KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Authentication-Remote-server-group-match-o...

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

2914
Lessue
New Contributor

Created on ‎12-02-2021 06:15 AM

Thank you. Another good link I found for matching the group is below.

 

Technical Tip: How to define group based authoriza... - Fortinet Community

2804
0 Kudos
xsilver_FTNT
Staff
Staff
In response to Lessue

Created on ‎12-02-2021 06:27 AM

Yes, good one as well, more oriented to NPS while my one was more on how FGT handles that and what is expected in RADIUS Access-Accept to make it working.
Both are good sources.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

2802
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.