Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jucker
New Contributor III

Created on ‎10-01-2023 07:02 PM Edited on ‎10-01-2023 07:03 PM

FortiNAC Fortigate remote vpn using LDAP Groups based authentication support question

Hello,

 

Does FortiNAC support ldap group based authentication for fortigate without using the tag for remote access vpn?. Only Radius simple authentication.

 

Thank you.

Regards!

@ebilcari 

FortiNAC  

Labels:
982
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to Jucker

Created on ‎10-04-2023 07:49 AM

Basically you can use it for base authentication only but that's not flexible. You can't filter by groups (it will allow all the groups), you can't return groups to FGT since there is no possibility to create the logical networks and use additional RADIUS Attributes based on LDAP groups. Maybe it will be included in future releases of FNAC.

16:39:15.370675 IP (tos 0x0, ttl 64, id 43632, offset 0, flags [none], proto UDP (17), length 48)
10.0.0.5.1812 > 10.0.0.1.18613: RADIUS, length: 20
Access-Accept (2), id: 0x07, Authenticator: c60da80578dac9444425d6257533feb0  

The only way that FNAC controls VPN users is via SSO tags.

Fort Authenticator can be useful in this case if no enforcement is needed.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

905
0 Kudos
3 REPLIES 3
ebilcari
Staff
Staff

Created on ‎10-02-2023 12:41 AM

Hi,

If I get it right, you want to use FNAC to do RADIUS authentication only without checking any enforcement just to respond to authentication with a user group as RADIUS attribute (Fortinet-Group-Name)?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
952
0 Kudos
Jucker
New Contributor III
In response to ebilcari

Created on ‎10-02-2023 03:24 AM

@ebilcari To check the authentication user/password against specific AD user or AD group only no further checks (No scan etc...)

937
0 Kudos
ebilcari
Staff
Staff
In response to Jucker

Created on ‎10-04-2023 07:49 AM

Basically you can use it for base authentication only but that's not flexible. You can't filter by groups (it will allow all the groups), you can't return groups to FGT since there is no possibility to create the logical networks and use additional RADIUS Attributes based on LDAP groups. Maybe it will be included in future releases of FNAC.

16:39:15.370675 IP (tos 0x0, ttl 64, id 43632, offset 0, flags [none], proto UDP (17), length 48)
10.0.0.5.1812 > 10.0.0.1.18613: RADIUS, length: 20
Access-Accept (2), id: 0x07, Authenticator: c60da80578dac9444425d6257533feb0  

The only way that FNAC controls VPN users is via SSO tags.

Fort Authenticator can be useful in this case if no enforcement is needed.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
906
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.