Cannot authenticate against Fortinet Radius Remote Group

Hi everyone,
Hope some one help me with this issue.
I"m testing PrivacyIDEA TOTP with Fortigate SSL-VPN
I Have Configured SSL-VPN on fortigate unit and all related policies
I have configured NPS Server to forward authetcations to PI like in this link:
I Have config VSAs Vendor Attributes to match AD members group of LAB

I"m making testing with two AD users:
User1 User2.
And AD Group: “LAB”.
User1 is a Member of LAB group.
User2 is NOT a member of LAB Group

When i"m trying to login to SSL-VPN with user1 the login is succeeded.

When i"m trying to login with User2 the login is ALSO Succeeded.
User2 is NOT a member of LAB Group and it suppose to be denied.
My Policy in PrivacyIDEA


I will thank you for your help

Please keep in mind one thing: privacyIDEA is not a kind of firewall. The policies to not work as ACLs! So if a policy does not match, this does not mean, that the user can not authenticate. It rather means, that the user is authenticated in the normal, default way.
So this might be a logical misunderstanding you are running in here.

Thank you for your quick replay,
Is there anything i can do to make this work?
Can i instruct PI to to use NPS Network policy to match AD Group?
or is there any other way to do this ?

Yes, probably there are ways to do what you want to do.
But honestly this would take some time to understand your requirement, think about it and come up with a configuration proposal. Well, this is something I usually do in workshops for a living, but I try to refrain doing consultancy in this forum.

After all your NPS seems to sit infront of privacyIDEA. So the NPS can decide on some authorization before forwarding the authentication request to privacyIDEA.

I found a solution.
On NPS server under Connection Request Policy all what i needed to add is just RADIUS Attribute:
Its instructs the radius to use NPS Network Policy Conditions.

Maybe this will help someone.
Thank you Cornelius.

1 Like