Allow only one loggin for same username on SSL VPN

Plima · ‎07-23-2018

Hi Everyone,

I have a user group where I only want to allow one session by user. In other words, if the user ABC is logged on the VPN Client and other user log in with the same user (ABC) the result will be denied. I want this for all users in the firewall group.

Is that possible?

thanks

Toshi_Esumi · ‎07-23-2018

This seems to be the same conversation.

https://forum.fortinet.com/tm.aspx?m=159319&tree=true

emnoc · ‎07-23-2018

You can set that in the ssl setting to the number of concurrent vpn users. IIRC it works like this,

1: User TEST logins

2: now user TEST attempts to login in , the firewall warns this to this new request with the action to disconnect the 1st user TEST session

https://forum.fortinet.com/tm.aspx?m=159319

Ken

PCNSE

NSE

StrongSwan

Plima · ‎07-24-2018

toshiesumi wrote:
This seems to be the same conversation.
https://forum.fortinet.com/tm.aspx?m=159319&tree=true

emnoc wrote:
You can set that in the ssl setting to the number of concurrent vpn users. IIRC it works like this,

1: User TEST logins

2: now user TEST attempts to login in , the firewall warns this to this new request with the action to disconnect the 1st user TEST session

https://forum.fortinet.com/tm.aspx?m=159319

Ken

Hi both,

I've tried that, but not successful

thanks

emnoc · ‎07-24-2018

Is it the same fortigate for the two logins? Did you run any diag debug app sslvpn -1 and monitor what the firewall thinks

Ken

PCNSE

NSE

StrongSwan

Plima · ‎07-24-2018

emnoc wrote:
Is it the same fortigate for the two logins? Did you run any diag debug app sslvpn -1 and monitor what the firewall thinks

Ken

Hi Ken,

Is the same Fgt. Yes I run the debug and don't spot anything unusual.

The user came from LDAP, is that relevant?

Thanks

Ashik_Sheik · ‎09-12-2018

Hi ,

Any solutions to this problem .I am facing similar issue .

The Below command configured for LDAP group as well as Local group .Don't work .Appreciate for expert advice .

# config user group # edit "fortilab_exchange" # set auth-concurrent-override enable # set auth-concurrent-value (1-100) # end

Regds,

Ashik

Ashu

Prab · ‎09-12-2018

Plima wrote:
Hi Everyone,

I have a user group where I only want to allow one session by user. In other words, if the user ABC is logged on the VPN Client and other user log in with the same user (ABC) the result will be denied. I want this for all users in the firewall group.

Is that possible?

thanks

Yes, under the SSL-VPN Portal select your portal and enable the "Limit Users to One SSL-VPN Connection at a Time" option. You could use the CLI command too:

FGT# config vpn ssl web portal FGT (portal) # edit web-access <-- Portal name FGT (web-access) # set limit-user-logins enable

Hope it helps!

Prab

Ashik_Sheik · ‎09-13-2018

Hi,

I need this configuration for Tunnel access not web .

Any idea.

Regds,

Ashik

Ashu

Eder_Lima1 · ‎09-13-2018

This configuration can also be used for tunel mode.

FGT01 (full-access) # show config vpn ssl web portal edit "full-access" set tunnel-mode enable set web-mode enable set limit-user-logins enable set ip-pools "SSLVPN_TUNNEL_ADDR1" set split-tunneling-routing-address "DMZ" "LAN" config bookmark-group edit "gui-bookmarks" next end set theme green next end FGT01 (full-access) # [style="background-color: #ffff00;"]set limit-user-logins[/style] [style="background-color: #ffff00;"]enable[/style] Enable setting. disable Disable setting.

limit-user-logins Enable to limit each user to one SSL-VPN session at a time.

NSE4, NSE5, NSE6, NSE7

CCNA R&S, CCNA Wireless, HCNA