Technical Tip: Captive portal authentication with users as members of multiple groups

Debbie_FTNT · ‎02-16-2021

Description
This article describes how to allow FortiGate to recognize users as members of multiple groups when authenticating via Captive Portal.

Solution
When FortiGate authenticates a user via VPN, it will automatically fetch group memberships and recognize which groups on the FortiGate this user would match.
This way, only one group needs to be used for SSL VPN authentication, but additional groups may be used in policies for granular access control.

This is not the case with Captive Portal (policy-based or interface-based).
If a group is targeted by Captive Portal authentication, FortiGate will only consider an authenticated user as member of this group, not any others the user might also be a member of.

The FortiGate will only check if a user is a member of group 'vpngroup'.

The user could be a member of additional groups, but FortiGate does not register this, and the user will only match policies with 'vpngroup', not any other policies.

There are two solutions:

- Set 'allow all'.
Any user that is a member of any group on the FortiGate will be able to authenticate (via LDAP, local authentication, RADIUS; whatever is configured on FortiGate).

FortiGate will check against any possible group, and register multiple group memberships for users.

Policies will apply based on these group memberships.

- Add multiple groups to the Captive Portal.
If the user is member of multiple groups, the FortiGate will register membership in any group that is outright referenced in Captive Portal.

If a user is member in 'vpngroup' and 'test-group1', then FortiGate will register membership in both groups and apply policies based on either group.

Users will NOT show as member of a group they are not actually a member of, but if users are members in groups not referenced in Captive Portal, FortiGate will ignore that group membership.