Hi. We have this setup today.
Fortigate FW - running SSL vpn portal, users are authenticated towards a Cisco ACS radius server. We only use one vdom ( virtual firewall) but we have a plan to create a portal to every co companies. So I created two new vdom on the fortigate called, : ompa and tampa and gave them ssl portal. - https://ompa.corp.com and https://tampa.corp.com Both of them use the Cisco ACS to authenticate users, so at this point the same username can login to both SSL portals, this is no good :-( Then I tried to add a fortigate VSA to the Cisco ACS server, so when user p...@ompa.corp.com login to https://tampa.corp.com , ACS server retun "Fortinet-Vdom-Name = ompa" to the fortigate, and I was looking forward to see the ompa portal but i got tampa. So Fortigate just ignore the VSA from the ACS . Fortigate radius impementation seems to be braindead :-( I did some sniffing, and it seems that *fortigate* return Fortinet-Vdom-Name= ompa when you use https://ompa.corp.com, and Fortinet-Vdom-Name= tampa when you use https://tampa.corp.com. So we need to have some checking on the radiusserver, to verify user realm vs what fortigate retuns. Cisco ACS server doesn't support this type of checking. Now I have installed a freeradius and it does proxy towards the ACS from Fortigate FW, but I need some help to configure this checking, could rlm do this stuff? if user p...@ompa.corp.com login to tampa, and Fortigate return Fortinet-Vdom-Name= tampa it should *not* get access, but if it retun Fortinet-Vdom-Name= ompa it should get access. Ole
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html