Using duo with more than 1 LDAP group

c4ipp3r · ‎03-24-2020

Hi folks,

I’m just deploying a DUO solution for one of my customers, install was fine and now I have a issue that I’m trying to setup.

Using a Fortigate:

customer has setup sslvpn using a tunnel - everything works fine DUO send the push to the client and connection is established

Customer setting up a Web Portail - using duo - the same user on the original DUO group does not get to the portal but to the regular default one.

I was thinking in creating a second group only for the portal but my question is :
How should I configure duoRadius to fetch the info ?

TIA

IanP1 · ‎04-22-2020

Just got off chat with support on a very similar item to this on the Fortinet, and the solution to the issue is to create a second Radius Authenticator on the Forigate, then create an additional Radius_Auto on the proxy. For this new Radius_Auto, give it a new port number, and point it to the AD group that you want to Authenticate against.

c4ipp3r · ‎04-22-2020

Thanks Ian,

So in a way, using more than one a portal or using more than a group, implies on adding another radius instance on the Proxy .

Nice !! Thanks for the input .

IanP1 · ‎04-22-2020

I did find that you need to use the CLI to do the different port (example):

config user radius
edit radius-server-one
set server 192.168.1.1
set secret password
set radius-port 1234
end

c4ipp3r · ‎04-22-2020

Yes … this is for the specific radius server port .
You also have , in case you want to change this on the global settings (this for a single Radius)

config system global

set radius_port 1645

end

Thanks again for the input !!