Fortinet black logo

Administration Guide

Restricting RADIUS user groups to match selective users on the RADIUS server

Restricting RADIUS user groups to match selective users on the RADIUS server

When a user group is configured in FortiOS to authenticate against a RADIUS server, it will allow any valid user account on the RADIUS server to match that user group. Sometimes you might want to specify which users on the RADIUS server should match a particular user group on the FortiGate. This can be accomplished using the RADIUS attribute value pair (AVP) 26, known as a Vendor-Specific Attribute (VSA). This attribute allows the Fortinet-Group-Name VSA to be included in the RADIUS response. In FortiOS, the user group must be configured to specifically match this group.

In the following example, a RADIUS Network Policy Server (NPS) has been configured to have the Fortinet-Group-Name be IT, and assumes that the user group, RADIUS_IT has been created, which authenticates to the RADIUS_NPS server.

To configure specific group matching in the GUI:
  1. Go to User & Authentication > User Groups and edit the RADIUS_IT group.
  2. In the Remote Groups table, select the RADIUS_NPS server and click Edit. The Add Group Match pane opens.
  3. For Groups, select Specify and enter the group name configured on the RADIUS server (IT).
  4. Click OK.

  5. Click OK.
To configure specific group matching in the CLI:
config user group
    edit "RADIUS_IT"
        set member "RADIUS_NPS"
        config match
            edit 1
                set server-name "RADIUS_NPS"
                set group-name "IT"
            next
        end
    next
end
Note

To change the matching back to any group, under config match, enter delete 1. Changing the group-name to "Any" will cause the FortiGate to match the Fortinet-Group-Name with the literal string, Any.

Restricting RADIUS user groups to match selective users on the RADIUS server

When a user group is configured in FortiOS to authenticate against a RADIUS server, it will allow any valid user account on the RADIUS server to match that user group. Sometimes you might want to specify which users on the RADIUS server should match a particular user group on the FortiGate. This can be accomplished using the RADIUS attribute value pair (AVP) 26, known as a Vendor-Specific Attribute (VSA). This attribute allows the Fortinet-Group-Name VSA to be included in the RADIUS response. In FortiOS, the user group must be configured to specifically match this group.

In the following example, a RADIUS Network Policy Server (NPS) has been configured to have the Fortinet-Group-Name be IT, and assumes that the user group, RADIUS_IT has been created, which authenticates to the RADIUS_NPS server.

To configure specific group matching in the GUI:
  1. Go to User & Authentication > User Groups and edit the RADIUS_IT group.
  2. In the Remote Groups table, select the RADIUS_NPS server and click Edit. The Add Group Match pane opens.
  3. For Groups, select Specify and enter the group name configured on the RADIUS server (IT).
  4. Click OK.

  5. Click OK.
To configure specific group matching in the CLI:
config user group
    edit "RADIUS_IT"
        set member "RADIUS_NPS"
        config match
            edit 1
                set server-name "RADIUS_NPS"
                set group-name "IT"
            next
        end
    next
end
Note

To change the matching back to any group, under config match, enter delete 1. Changing the group-name to "Any" will cause the FortiGate to match the Fortinet-Group-Name with the literal string, Any.