Topic Thread

Radius User Group mapping problem

  • 1.  Radius User Group mapping problem

    Posted 08-03-2018 02:58
    Edited by POTSUN HSIEH 08-03-2018 03:15
    Hello everybody,
    I have a Fortinet VM-64 (version v5.4.7,build6446 ) to provide SSLVPN service.
    My customer provides a radius server for SSLVPN authentication.
    But their radius server can't response group information when doing authentication.
    So I create many account with radius on the VM-64, and mapping them with different group.
    But there is a problem with group mapping.
    When client use a account which exist in the radius server but doesn't exist in the VM-64 to login SSLVPN, it will login success and mapping to group for the first account in the account list.
    For example:
    I have two account in the VM-64.
    AAA in radius is group-X  (It's the first account in the list)
    BBB in radius is group-Y

    There are three account in the radius server.(Because the radius server is not only for SSLVPN)

    When client use CCC to login SSLVPN, he will login success and mapping to group-X.
    Because different group have different access control list, so it will be a issue in security.
    And it's strange to mapping a account which doesn't exist to a exist group.
    It look like a vulnerability or program logic error in the authentication?
    Could you kindly give me some suggestion to resolve it?
    Thanks a lot : )