FortiGate Radius SSLVPN using multiple mappings

stukat · ‎01-23-2018

We are attempting to configure 2 SSL-VPN IP ranges using Duo; 1 for IT and the other for employees. 2 User Groups were created; Duo_SSL_VPN and Duo_SSL_VPN2 and will use any Group Name i.e. group name is not defined. The first using 1813 for Radius and the 2nd uses 1812. (The radius port can be changed in FortiGate via CLI). SSL-VPN Settings maps Duo_SSL_VPN to IT and Duo_SSL_VPN to employees. All authenticated users connect to the IT range. How can I fix this?

DuoKristina · ‎01-29-2018

So you have two [radius_server_auto] config sections in your authproxy.cfg file, one listening on port 1812 and the other on 1813? Can you verify that the different user groups on the Fortigate are using the right Duo RADIUS lisnener by looking in the Duo Authentication proxy logs? So, when you connect to the Fortigate as Duo_SSL_VPN2 the Duo log shows incoming authentication traffic on port 1812, and when you connect as Duo_SSL_VPN the traffic goes to the Duo proxy on 1812?

If so, then you might have better luck asking Fortinet why the SSL VPN IP range assignments aren’t following the group mappings for SSL VPN.

Would you mind sharing instructions for how you configured this, particularly mapping a specific IP range to a group? I see where I can add more address ranges in the “Tunnel Mode Client Settings” section on the SSL VPN settings page, but there isn’t anywhere to specify any logic associating a given range to a group on the SSL VPN settings page.

Duo, not DUO.