Hi.
We have this setup today.
Fortigate FW - running SSL vpn portal, users are authenticated towards a Cisco ACS radius server.
We only use one vdom ( virtual firewall) but we have a plan to create a portal to every co companies.
So I created two new vdom on the fortigate called, : ompa and tampa and gave them ssl portal. - https://ompa.corp.com and https://tampa.corp.com
Both of them use the Cisco ACS to authenticate users, so at this point the same username can login to both SSL portals, this is no good :-(
Then I tried to add a fortigate VSA to the Cisco ACS server, so when user pet@ompa.corp.com login to https://tampa.corp.com , ACS server retun "Fortinet-Vdom-Name = ompa" to the fortigate, and I was looking forward to see the ompa portal but i got tampa. So Fortigate just ignore the VSA from the ACS .
Fortigate radius impementation seems to be braindead :-(
I did some sniffing, and it seems that *fortigate* return Fortinet-Vdom-Name= ompa when you use https://ompa.corp.com, and Fortinet-Vdom-Name= tampa when you use https://tampa.corp.com.
So we need to have some checking on the radiusserver, to verify user realm vs what fortigate retuns. Cisco ACS server doesn't support this type of checking.
Now I have installed a freeradius and it does proxy towards the ACS from Fortigate FW, but I need some help to configure this checking, could rlm do this stuff?
if user pet@ompa.corp.com login to tampa, and Fortigate return Fortinet-Vdom-Name= tampa it should *not* get access, but if it retun Fortinet-Vdom-Name= ompa it should get access.
Ole