Radius pass-through VPN auth?
I'm wanting to configure my 30E so that minimal user management is done on the device itself, and instead as much as possible done via Windows Server AD mgmt, with RADIUS pass-through.
e.g. Instead of creating users ABC1, ABC2 etc. on the VPN, I'd like to specify only a single AD user group (e.g. "ABCUsers") with all members of that AD group allowed VPN access.
When ABC1 attempts to log in, the VPN would pass the credentials on to the Radius server, and would get a response back saying that either ABC1 is a member of the ABCUsers AD group, and that the supplied credentials are correct so a VPN session can be established, or kick them out.
Users would explictly log in via the Forticlient app login screen, not via SSO from the existing Windows session, as the VPN domain is sandboxed so AD syncing is out.
Please, can anyone advise me whether this configuration is possible or not?
I'm currently experimenting with the RADIUS attribute fields, but I'm not crystal clear on how they integrate with Fortinet groups, I'd really appreciate any advice on if what I've outlined is possible or not, before I throw lots of time at this one.
Thanks and kind regards