Hot!Radius pass-through VPN auth?

Author
jimmyb
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/04/25 12:59:34
  • Status: offline
2019/04/25 13:17:19 (permalink)
0

Radius pass-through VPN auth?

Hi there,
I'm wanting to configure my 30E so that minimal user management is done on the device itself, and instead as much as possible done via Windows Server AD mgmt, with RADIUS pass-through.
 
e.g. Instead of creating users ABC1, ABC2 etc. on the VPN, I'd like to specify only a single AD user group (e.g. "ABCUsers") with all members of that AD group allowed VPN access.
 
When ABC1 attempts to log in, the VPN would pass the credentials on to the Radius server, and would get a response back saying that either ABC1 is a member of the ABCUsers AD group, and that the supplied credentials are correct so a VPN session can be established, or kick them out.
 
Users would explictly log in via the Forticlient app login screen, not via SSO from the existing Windows session, as the VPN domain is sandboxed so AD syncing is out.
 
Please, can anyone advise me whether this configuration is possible or not?
 
I'm currently experimenting with the RADIUS attribute fields, but I'm not crystal clear on how they integrate with Fortinet groups, I'd really appreciate any advice on if what I've outlined is possible or not, before I throw lots of time at this one.
 
Thanks and kind regards
 
James
 
#1

3 Replies Related Threads

    xsilver_FTNT
    Expert Member
    • Total Posts : 437
    • Scores: 93
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: Radius pass-through VPN auth? 2019/04/26 00:43:49 (permalink)
    0
    Hi James,
     
    I hope you'll find RADIUS group match and attribute usage clearly described in KB I wrote long time ago but is still valid.
    FD36464

    Kind Regards,
    Tomas
    #2
    jimmyb
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/25 12:59:34
    • Status: offline
    Re: Radius pass-through VPN auth? 2019/04/26 09:29:44 (permalink)
    0
    thanks for the link to the article Tomas, extemely helpful, will work through it next week!
     
    Kind regards
     
    James
    #3
    jeroen.bellaart@qsight.nl
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/22 07:18:43
    • Status: offline
    Re: Radius pass-through VPN auth? 2019/08/22 12:38:38 (permalink)
    0
    Hello,

    Is it possible to post config for 3rd party radius (eset 2fa) for sslvpn configuration and second Auth on policy by ldap?

    As mentioned:
    If you need chained authentication towards 3rd party LDAP and another 3rd party RADIUS (two different servers), like users in LDAP and tokens in RSA, then this is supported on FortiAuthenticator, only.

    My setup is as follows:
    Fgt 6.0.5, fac 6.0.2 with 3rd party radius eset 2fa and ms ldap.

    Many thanks!

    Regards,
    Jeroen
    #4
    Jump to:
    © 2019 APG vNext Commercial Version 5.5