Hot!SSL VPN doesn't recognize LDAP groups correctly

Author
tlombardini
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/07/12 14:50:45
  • Status: offline
2019/07/12 15:05:50 (permalink)
0

SSL VPN doesn't recognize LDAP groups correctly

Hi, I want to configure SSL VPN web and tunnel access using two LDAP AD groups.
 
Group A -> I assing them WebPortal "A" with certain bookmarks and particular IP Subnetting.
Group B -> I assing them another WebPortal "B" with other bookmarks and other particular IP Subnetting.
 
All the configuration works OK (as descrived) with fortigate local users.
I have configured SSL VPN settings, Portals, bookmarks, groups, ldap server ,etc etc...
 
But.. when I user LDAP users:
the users can login but fortigate didn't recognize the group membership.
After loged in .. All domain users view the same Web Access Portal and get the same configuration with tunnel access using forticlient.
 
The fortigate is a 60E model with 6.0.2 firmware build 0163.
 
Can you help me? I don't know which could be the problem  :$
 
 
 
 
 
 
 
 
 
#1

3 Replies Related Threads

    orani
    Bronze Member
    • Total Posts : 58
    • Scores: 1
    • Reward points: 0
    • Joined: 2019/07/11 12:54:18
    • Location: Athens
    • Status: offline
    Re: SSL VPN doesn't recognize LDAP groups correctly 2019/07/13 05:28:31 (permalink)
    0
    You need tow ssl vpn portals with different Source IP Pools (address objects). Also you need to create tow user groups and at the ssl-vpn settings you have to assign each group one portal. At ssl-vpn settings also add the appropriate ip ranges. Lastly, you have to create ipv4 policy to allow traffic from vpn (specific group/ip pool/portal) to your desired destination networks or address objects.
    #2
    tlombardini
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/12 14:50:45
    • Status: offline
    Re: SSL VPN doesn't recognize LDAP groups correctly 2019/07/22 11:27:04 (permalink)
    0
    Hi, thank you for answering. Yes I done those configurations (groups, different IP sources, different portals, ,etc).
    All those configurationws works perfectly with local users (fortigate users). But, when I use Active directory users (whose are in those groups two) don't work. They can login but all enter in the same portal, same subnet ,etc..
    #3
    kallbrandt
    Silver Member
    • Total Posts : 95
    • Scores: 18
    • Reward points: 0
    • Joined: 2016/05/21 11:21:05
    • Status: offline
    Re: SSL VPN doesn't recognize LDAP groups correctly 2019/08/13 14:31:35 (permalink)
    0
    Try the following:
    conf user ldap
    edit <your-ldap-server>
    set group-member-check group-object
    next
    end
     
    Also, if you have a Radius server configured, remove it or make the conf invalid (set wrong ip etc) and try ldap again. I have an ongoing ticket with TAC about this, radius auth is chosen in my fw even though users use ldap.
     
    Good luck.

    Richie
    NSE7
    #4
    Jump to:
    © 2019 APG vNext Commercial Version 5.5