FortiGate & FortiAuthenticator – Mapping users to Groups for VPN using Radius


I need help from you guys since I can’t find anything wrong with my setup and it still doesn’t work:

I authenticate my Fortigate SSLVPN users against FortiAuthenticator. I want to map some users to a Firewall group in my FG using Radius attributes. I used the “Fortinet-Group-Name” and “fortinet-Access-profile” attributes (set to “test”)

this is my Fortigate config : (FAC-Group for users without attributes, grp-test for users with attribute set to “test”)

config user group
    edit "SSO_Guest_Users"
    edit "FAC-Group"
        set member "FortiAuthenticator"
    edit "grp-test"
        set member "FortiAuthenticator"
        config match
            edit 1
                set server-name "FortiAuthenticator"
                set group-name "test"

this is my debug output :

[1309] __fnbamd_rad_send-Sent radius req to server 'FortiAuthenticator': fd=16, IP=--------------(------------:1812) code=1 id=100 len=101
 user="domainuser" using PAP
[1179] send_radius_challenge_rsp-Timer of rad 'FortiAuthenticator' is added
[1348] fnbamd_auth_handle_radius_result-Timer of rad 'FortiAuthenticator' is deleted
[1767] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[319] extract_success_vsas-FORTINET attr, type 1, val test
[353] extract_success_vsas-FORTINET attr, type 6, val test
[1374] fnbamd_auth_handle_radius_result-->Result for radius svr 'FortiAuthenticator' ---------- is 0
[1304] fnbamd_radius_group_match-Skipping group matching
[1018] find_matched_usr_grps-Skipped group matching
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 1251334245, len=2014
[747] destroy_auth_session-delete session 1251334245
authenticate 'domainuser' against 'pap' succeeded, server=primary assigned_rad_session_id=1251334245 assigned_admin_profile=test s
ession_timeout=0 secs idle_timeout=0 secs!
Group membership(s) - test

As you can see, the FortiGate matches and extracts the Group Name but still skips the user mapping to the new Group. I tried deleting the “FAC-Group” but then I was unable to even connect.

FG : 6.4.2
FAC : 6.1.2

Any help is appreciated!


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *