Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chocolateeater
New Contributor

IPsec access list based on user group

Hi, all.

 

I'm new to Fortinet, having worked with other brands up til now.

 

I'm trying to get a new FortiGate 101F up and running, and I am now configuring IPSec tunneling using the FortiClient.

 

Is there a way to set access lists (network interface/subnets) based on user or user group? Can't seem to find any documentation on this, and unclear how this would be supported based on what I see when I configure the policy.

 

Thanks,

Chocolate Eater

1 Solution
pminarik

Once you switched to "inherit from policy", you need to make sure that any and all groups you want to be able to log into the VPN are listed in an active firewall policy in the tunnel->something direction.

[ corrections always welcome ]

View solution in original post

3 REPLIES 3
pminarik
Staff
Staff

If you're doing XAUTH or EAP authentication:

1,  Leave the XAUTH/EAP group in phase1 configuration empty (CLI) or set it to "inherit from policy" (GUI).

2, Add the relevant group(s) in the firewall policies for <tunnel> -> <any desirable egress interface> policies.

 

=> As a result, the FortiGate will remember the users groups learned during IPsec authentication, and they can then be utilized to control access through policies.

[ corrections always welcome ]
chocolateeater

chocolateeater_0-1664309443551.png

Hi, pminarik.

It makes sence what you're saying, but when I set to "Inherit from policy" in XAUTH, I get an authentication failure. Which also makes sence, since it has no user groups to authenticate against.

 

But I guess I'm missing something....?

 

pminarik

Once you switched to "inherit from policy", you need to make sure that any and all groups you want to be able to log into the VPN are listed in an active firewall policy in the tunnel->something direction.

[ corrections always welcome ]