Mark, You are correct about RSSO roles/groups working on Fortigate. We have that part working but I needed more granular controls for a select user and tried to setup a policy for just that. One work around you mention would be making groups for individual users, I just worked around it by setting a dhcp reservation on that particular device and setting my policy for that IP. Aaron
On Wed, Aug 28, 2024 at 9:36 AM Mark Amber <m...@splchicago.com> wrote: > I am also not clear on exactly the desired setup, perhaps respond to this > message with a goal rather than what you did. > > As for fortigate SSO, you create Roles and use those roles in user > policies on the ftg. Wouldn’t you want this anyways instead of making > policies for individual users? You could always make a role for each > individual user that needs to have a specific policy. > > The setup is fairly straightforward using the RSSO external connector > within security fabric, and a couple things on the command line/config. I > can expand on this when I have time, if you are still interested. > > For me, I created some specific groups and created corresponding RSSO > groups on the FTG. I setup an LDAP authentication source and authentication > rules to grant PF roles based on memberOf equals conditions. I found it > useful to cascade the rules starting with higher privilege first, in case a > user is a member of both high and low privilege groups. > > This could be used for > > The thing I don’t think people are understanding is your comment about > VPN. If you are having users use the Forticlient anyways, and > authenticating using LDAP, then you can develop far more user friendly and > granular rules directly in fortigate. You can also splurge for their EMS > product and get SSO over IPsec vpn and more metrics like group policy and > antivirus enforcement. If you are using the VPN fortigate can do this > natively. I just don’t understand why this VPN is part of the problem > domain yet. Maybe if you elaborated we could help better. > > -- > Mark Amber > ------------------------------ > *From:* Aaron Zuercher via PacketFence-users < > packetfence-users@lists.sourceforge.net> > *Sent:* Tuesday, August 27, 2024 2:08:19 PM > *To:* packetfence-users@lists.sourceforge.net < > packetfence-users@lists.sourceforge.net> > *Cc:* Aaron Zuercher <aaron.techge...@gmail.com> > *Subject:* Re: [PacketFence-users] Authentication PacketFence + Radius + > FortiGate > > Hello, > i'm not sure if I understand your design fully but I know Fortigate > doesn't support Radius (RSSO) users in its profiles. Here is a forum > thread that explains the problem: > > > https://community.fortinet.com/t5/Support-Forum/Using-RSSO-usernames-in-policies/td-p/11235 > > > I have put in a feature request with Fortigate to add this. If this is > affecting you I recommend contacting Fortinet to add support to this > feature request. > > > Aaron > > > > > On Wed, Aug 21, 2024 at 2:41 PM Guilherme Assis via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > > Hello everyone. > > > > Can you help me with a configuration? > > > > I am working on a deployment that requires integrating my FortiGate > Firewall with Packetfence RADIUS. The idea is to have clients connect to my > Wi-Fi network through a Site-To-Site VPN to authenticate via Captive Portal > and RADIUS return whether the user was authorized or not, thus freeing up > the client's internet. However, I am having difficulties with this > configuration. FortiGate has already managed to connect to RADIUS, but when > I create a local user in Packetfence for testing, I am unsuccessful when > trying to authenticate. For this configuration to be possible, do I need to > synchronize the SSO Firewall? Today I have configured FortiGate in the > Switches and SSO Firewall tabs. > > > > Another question is how should I create the authentication source for this > configuration to work. > > > > I appreciate everyone's help! > > > > Best regards, > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users