I am also not clear on exactly the desired setup, perhaps respond to this message with a goal rather than what you did.
As for fortigate SSO, you create Roles and use those roles in user policies on the ftg. Wouldn’t you want this anyways instead of making policies for individual users? You could always make a role for each individual user that needs to have a specific policy. The setup is fairly straightforward using the RSSO external connector within security fabric, and a couple things on the command line/config. I can expand on this when I have time, if you are still interested. For me, I created some specific groups and created corresponding RSSO groups on the FTG. I setup an LDAP authentication source and authentication rules to grant PF roles based on memberOf equals conditions. I found it useful to cascade the rules starting with higher privilege first, in case a user is a member of both high and low privilege groups. This could be used for The thing I don’t think people are understanding is your comment about VPN. If you are having users use the Forticlient anyways, and authenticating using LDAP, then you can develop far more user friendly and granular rules directly in fortigate. You can also splurge for their EMS product and get SSO over IPsec vpn and more metrics like group policy and antivirus enforcement. If you are using the VPN fortigate can do this natively. I just don’t understand why this VPN is part of the problem domain yet. Maybe if you elaborated we could help better. -- Mark Amber ________________________________ From: Aaron Zuercher via PacketFence-users <packetfence-users@lists.sourceforge.net> Sent: Tuesday, August 27, 2024 2:08:19 PM To: packetfence-users@lists.sourceforge.net <packetfence-users@lists.sourceforge.net> Cc: Aaron Zuercher <aaron.techge...@gmail.com> Subject: Re: [PacketFence-users] Authentication PacketFence + Radius + FortiGate Hello, i'm not sure if I understand your design fully but I know Fortigate doesn't support Radius (RSSO) users in its profiles. Here is a forum thread that explains the problem: https://community.fortinet.com/t5/Support-Forum/Using-RSSO-usernames-in-policies/td-p/11235 I have put in a feature request with Fortigate to add this. If this is affecting you I recommend contacting Fortinet to add support to this feature request. Aaron On Wed, Aug 21, 2024 at 2:41 PM Guilherme Assis via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> wrote: Hello everyone. Can you help me with a configuration? I am working on a deployment that requires integrating my FortiGate Firewall with Packetfence RADIUS. The idea is to have clients connect to my Wi-Fi network through a Site-To-Site VPN to authenticate via Captive Portal and RADIUS return whether the user was authorized or not, thus freeing up the client's internet. However, I am having difficulties with this configuration. FortiGate has already managed to connect to RADIUS, but when I create a local user in Packetfence for testing, I am unsuccessful when trying to authenticate. For this configuration to be possible, do I need to synchronize the SSO Firewall? Today I have configured FortiGate in the Switches and SSO Firewall tabs. Another question is how should I create the authentication source for this configuration to work. I appreciate everyone's help! Best regards, [cid:ii_1919537b9a64ce8e91] _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
