Fortinet black logo

Administration Guide

NAS-IP support per SSL-VPN realm

NAS-IP support per SSL-VPN realm

For RADIUS authentication and authorization, the RADIUS client (the FortiGate) passes the username, password, and NAS-IP to the RADIUS server in its access request. The RADIUS server authenticates and authorizes based on this information. Each RADIUS server can be configured with multiple NAS-IPs for authenticating different groups and NAS clients.

On the FortiGate, configuring the NAS-IP in the realm settings overrides the RADIUS server setting, allowing multiple NAS-IPs to be mapped to the same RADIUS server.

In this example, the user wants to present one FortiGate VDOM with different NAS-IPs to a single RADIUS server based on specific rules.

To configure the SSL-VPN to use the NAS-IP in the realm settings:
  1. Configure a RADIUS user and add it to a group:
    config user radius
        edit "fac150"
            set server "172.16.200.150"
            set secret ********
            set nas-ip 172.16.200.2
            config accounting-server
                edit 1
                    set status enable
                    set server "172.16.200.150"
                    set secret ********
                next
            end
        next
    end
    config user group
        edit "radgrp"
            set member "fac150"
        next
    end
  2. Configure a realm for the user with a different NAS-IP:
    config vpn ssl web realm
        edit "realm1"
            set login-page '.......'
            set radius-server "fac150"
            set nas-ip 10.1.100.2
        next
    end
  3. Configure SSL-VPN with an authentication rule that includes the user group and the realm:
    config vpn ssl settings
        ...
        config authentication-rule
            edit 1
                set groupd "radgrp"
                set portal "testportal1"
                set realm "realm1"
            next
        end
    end
  4. Create a firewall policy:
    config firewall policy
        edit 1
            set name "sslvpn1"
            ...
            set srcintf "ssl.vdom1"
            set groups "radgrp"
        next
    end

    Because the RADIUS server and NAS-IP are specified in realm1, its NAS-IP is used for authentication.

NAS-IP support per SSL-VPN realm

For RADIUS authentication and authorization, the RADIUS client (the FortiGate) passes the username, password, and NAS-IP to the RADIUS server in its access request. The RADIUS server authenticates and authorizes based on this information. Each RADIUS server can be configured with multiple NAS-IPs for authenticating different groups and NAS clients.

On the FortiGate, configuring the NAS-IP in the realm settings overrides the RADIUS server setting, allowing multiple NAS-IPs to be mapped to the same RADIUS server.

In this example, the user wants to present one FortiGate VDOM with different NAS-IPs to a single RADIUS server based on specific rules.

To configure the SSL-VPN to use the NAS-IP in the realm settings:
  1. Configure a RADIUS user and add it to a group:
    config user radius
        edit "fac150"
            set server "172.16.200.150"
            set secret ********
            set nas-ip 172.16.200.2
            config accounting-server
                edit 1
                    set status enable
                    set server "172.16.200.150"
                    set secret ********
                next
            end
        next
    end
    config user group
        edit "radgrp"
            set member "fac150"
        next
    end
  2. Configure a realm for the user with a different NAS-IP:
    config vpn ssl web realm
        edit "realm1"
            set login-page '.......'
            set radius-server "fac150"
            set nas-ip 10.1.100.2
        next
    end
  3. Configure SSL-VPN with an authentication rule that includes the user group and the realm:
    config vpn ssl settings
        ...
        config authentication-rule
            edit 1
                set groupd "radgrp"
                set portal "testportal1"
                set realm "realm1"
            next
        end
    end
  4. Create a firewall policy:
    config firewall policy
        edit 1
            set name "sslvpn1"
            ...
            set srcintf "ssl.vdom1"
            set groups "radgrp"
        next
    end

    Because the RADIUS server and NAS-IP are specified in realm1, its NAS-IP is used for authentication.