Fortigate's RADIUS domain user group authentication is an SSLVPN user (on)

In fortigate 3.0, if remote radius Authentication is used, it can only be one group. Different Groups in the domain cannot be authenticated separately to configure different permissions. This is inconvenient, and the Access Permissions cannot be precisely controlled. This situation has been improved since version 4. The versions used in this example are v4.0, build0637, 120817 (MR3 Patch 9). According to the data, v4.0MR3 patch2 will be supported later. Let's talk about the radius Authentication configuration of fortigate. Open, Set User-> remote-> RADIUS-> 650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/014052GO-0.png "/> The name is random. The IP address is the IP address of the domain controller. The key is negotiated by both parties and must be the same as that set by the domain controller. Next, choose user> User Group 650. this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/01405221X-1.png "/> The name is free. Here, the sslvpn access is used as an example. Add a remote server below, which is the DC just created. If any is selected later, it is not grouped, if specify is selected, the group name must be specified. Enter vpn here. The following configurations need to be configured for the SSLVPN access user. Create an address segment and assign it to the SSLVPN user. The establishment of the address is not too much. It should be emphasized that the interface must be the ssl one. If it is any, the security will decrease. Configure tunnel-access associated with the group just now. Tunnel-access is the default template and needs to be changed accordingly. Open, virtual private network-> SSL-> interface-> tunnel-access edit, click the Tunnel Mode pen button 650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0140526411-2.png "/> Click IP address pool to add the address group you just created. Then add a policy. Otherwise, the user cannot enter the policy. To create a new policy, the source address must be sslvpn, and the address is the address segment just created. 650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/01405235L-3.png "/> In this way, The fortigate part is almost done.

This article from the "Genius without that 1% is never done" blog, please be sure to keep this source http://xushen.blog.51cto.com/1673219/1007242