Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
douglas1942
New Contributor

Multiple user groups in a policy source.

Hello, I have a Fortigate policy whereby I want to specify that a user has to belong to TWO user groups in order to pass the policy.

However, I am finding that the user only needs to match one group, but I want BOTH groups to be matched.

 

Is there any way to do this ?

Thank you.

5 REPLIES 5
bpozdena_FTNT

Hello douglas1942,

 

this is not supported as you intended to use it.  The behavior you're seeing is expected.

 

You will need to create a new user group specific for those users and use it in your FW policies.

 

HTH,

Boris 

HTH,
Boris
douglas1942
New Contributor

Thank you. Does anyone have any ideas how to achieve what I want ?

 

bpozdena_FTNT

You can submit a New Feature Request via your local Fortinet Sales Engineer and ask to have a logical AND group-match option added into FortiOS. 

HTH,
Boris
gfleming

IMO you would do this on your LDAP server and not leave it up to the network device. Groups are used to clearly delineate different classes of users. Expecting different network and authentication clients to do logic-based decisions on identifying users based on various group membership criteria is not best practice approach. If a user needs to be in two groups to differentiate their authority then they should be added as a member of a new, different group that properly identifies this class of user.

Cheers,
Graham
ndumaj
Staff
Staff

Hello,
When two separate groups from different RADIUS/LDAP profiles are added, the FortiGate sends an Access-Request simultaneously to both RADIUS/LDAP servers, and authentication succeeds if either server sends back an Access-Accept.
So the authentication will be handled only by one Server.

BR

- Happy to help, hit like and accept the solution -
Labels
Top Kudoed Authors