Greetings,
set different policies in Privacyidea.
Radius server configuration in fortigate firewall
Received from email or sms 2fa notification.
How to match privacyidea user’s and set up different policies in fortigate firewall?
Hi,
I use rlm_perl to return the Radius-Attribute “Fortinet-Group-Name”. Its possible to return the resolver and every user-property like every group-membership. In the policy you only have to use the group names:
use something like this in rlm_perl.ini:
[Attribute Fortinet-Group-Name]
dir = user
userAttribute = groups
regex = CN=(.*?),OU
1 Like
Hi,
I have the same question. I changed rlm_perl.ini:
[Attribute Frotinet-Group-Name]
dir = user
userAttribute = Fortinet-Group-Name
regex = cn = rad_group
However did not receive the radius attribute Fortinet-Group-Name
“detail”: {
“message”: “matching 1 tokens”,
“otplen”: 6,
“serial”: “TOTP0 *****”,
“threadid”: 140339344062208,
“type”: “totp”,
“user”: {
“memberOf”: "cn = rad_group ",
“password”: “”,
“username”: “Qwer7”
},
“user-realm”: “domain”,
“user-resolver”: “resolver”
},
“id”: 1,
“jsonrpc”: “2.0”,
“result”: {
“status”: true,
“value”: true
},
“signature”: “rsa_sha256_pss: 77679b78”,
“time”: 1621943607.068597,
“version”: “privacyIDEA 3.5.2”,
“versionnumber”: “3.5.2”
Can you please describe the setting in more detail?
I want to tune RADIUS + Group on FortiGate.
Thanks advance!
Hi,
the userAttribute is NOT Fortinet-Group-Name! It’s the PI-user-attribute which contains the groups!
Hi,
Thanks for reply.
Unfortunately, I don’t understand you. 
Can you please describe the setting in more detail, maybe I missed something.
your config in rlm_perl.ini is wrong:
userAttribute = Fortinet-Group-Name
must be
userAttribute =
and you mistyped [Attribute Frotinet-Group-Name]