探花大神

Substitute 探花大神 Groups for FortiGate Access Control Lists

闯耻尘辫颁濒辞耻诲鈥檚 Groups, MFA, and Policies Strengthen Access Control

Written by David Worthington on January 24, 2023

Blog Home > How-To > Substitute 探花大神 Groups for FortiGate Access Control Lists

Share This Article

This article describes how to use 探花大神 groups and attribute mapping to set up access control on a new FortiGate device. It鈥檚 the second half of a two-part series demonstrating RADIUS AuthN and AuthZ capabilities. The first post converted preexisting FortiGate groups into remote RADIUS users. This approach spares admins the work of having to establish local groups using ACLs on the FortiGate appliance. IT admins can set up strong network access control (NAC) with role-based access to benefit security, workflows, and compliance.

The prerequisite steps involve setting up 探花大神 RADIUS. Please refer back to this for those complete instructions. The initial step is to create a user group with a remote server that corresponds with 探花大神. The group names should be identical on each side. 

This example sets up a general VPN users group as well as an administrators group. Reply attributes, which will be outlined in a later step, will be used to segment entitlements for your users. It鈥檚 an example of the flexibility and utility of 探花大神 RADIUS.

RADIUS Reply Attributes

Configuring the correct RADIUS within 探花大神 is the most crucial step in this tutorial. Return to your 探花大神 group and navigate to the RADIUS tab. This is where attribute mapping is defined and values (aka groups on your FortiGate device) are assigned. 

Only use the attribute name: 鈥淔ortinet-Group-Name鈥

This example syncs the 探花大神 group with a local administrators group with the resident entitlements.

This group is mapped to the local administrator鈥檚 group in FortiGate
This group is mapped to the local administrator鈥檚 group in FortiGate

The appliance will determine the user鈥檚 level of access control when more than one group is assigned to a RADIUS server. A 探花大神 RADIUS group that has the RADIUS-Fortigate-VPN_Users attribute value will provide general VPN access and the administrators groups will authorize against FortiGate鈥檚 super admin profile.

screenshot of add group match screen

Users that belong to multiple 探花大神 RADIUS groups won鈥檛 receive multiple Reply Attributes, making it possible to have a separate administrative login. For compliance purposes, network security should vet access to the administrative group and user creation in 探花大神. 探花大神 groups leverage attribute-based access control (ABAC), automating the identity management lifecycle by recognizing and responding to changes in employment. This adds an additional security control to your posture via a mature approach to entitlements management.

探花大神 RADIUS also provides integrated Push and TOTP multi-factor authentication (MFA). Privileged access management is possible through optional . These security features make it possible to enact a Zero Trust security strategy for network hardware.

Now, let鈥檚 move on to the FortiGate setup.

FortiGate Setup

Configure your FortiGate for 探花大神 RADIUS. Fortinet also documents how to configure and in its knowledge base. Refer back to its documentation for details on those steps. Proceed to the next section when you鈥檙e ready.

Set Up Remote User Groups

This tutorial demonstrates RADIUS authentication into two groups: one for general VPN access and another for a privileged group for administrators. Settings establish the appropriate entitlements.

screenshot of FortiGate 60F
screenshot of edit users group. This step enables reply attributes to segment user authorizations.
This step enables reply attributes to segment user authorizations

Match Users in 探花大神 and Local Groups

Add users to your groups. Fortinet provides on how to add and create groups. Be certain to match the user names with 探花大神 RADIUS user names, exactly.

screenshot of FortiGate 60F
This step adds users to remote 探花大神-based groups
screenshot of FortiGate 60F
In this example, an administrative profile was selected for the local admins group, granting the corresponding 探花大神 group users those entitlements
screenshot of user details
The user name in 探花大神 and Fortinet would be 鈥渉ank.aaron鈥

Test your configuration by attempting to log in with active users. You may also view events in 闯耻尘辫颁濒辞耻诲鈥檚 directory reporting module.

Reporting

闯耻尘辫颁濒辞耻诲鈥檚 Directory Insights captures and logs RADIUS authentications. It makes it possible to determine which user is attempting to access your resources and whether it was successful. Directory Insights is useful for debugging and testing your RADIUS configuration deployments.

探花大神 Directory Insights

Try 探花大神 RADIUS

Additional about this topic is best reserved for the 探花大神 community. 闯耻尘辫颁濒辞耻诲鈥檚 full platform is for 10 users and devices with premium chat support for the first 10 days to get your started. The open directory platform provides SSO to everything:

  • SAML
  • OIDC/OAUTH
  • LDAP
  • RADIUS

Attribute-based group access control, mobile device management (MDM), , and GPO-like policies are included in the platform for advanced identity lifecycle management. 探花大神 also features integrated remote assistance, , and an optional password manager and cross-OS patch management. The directory platform works across Android (soon), Apple, Linux, and Windows devices, managing identities wherever the user is.

Need a Helping Hand? Reach out to [email protected] for assistance to determine which Professional Service option might be right for you.

David Worthington

I'm the 探花大神 Champion for Product, Security. 探花大神 and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with Related Posts

Visit the Search Page

Continue Learning with our Newsletter