FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
mdeparisse_FTNT
Article Id 198202
Purpose
This article describes how to configure FortiManager/FortiAnalyzer for RADIUS authentication and authorization using access profile override, ADOM override and Vendor Specific Attributes (VSA) on RADIUS side.

Scope
The CLI examples are universal for all covered firmware versions.  Note: The GUI screenshots are from v6.0: although the menus look different in the older versions, the settings are the same.

Expectations, Requirements
Example Task:

The following directory users, members of the group “fmg_faz_admins”, should be granted different permissions in FortiManager/FortiAnalyzer based on their RADIUS attributes:
  - user1 – “read-write” permissions for all sections of ADOMs “TEST1” and “TEST2”
  - user2 – “read-only” permissions for all sections of ADOM “TEST2”
  - All other users – should have no access to FortiManager/FortiAnalyzer


Configuration
FMG/FAZ Configuration:

1) Configure a remote server object.
# config system admin radius
  edit "fac.test.lab"               <----- Name of the server object.
    set server "10.109.19.6"        <----- RADIUS server IP address.
    set port 1812                   <----- RADIUS server port.
    auth-type chap                  <----- {any|pap|chap|mschap2}.
    set secret @Rad1us#Secr3T  
  next
end

Test RADIUS server connection and validate user name and password.





2) Create the admin profiles, as required

For this example the following profiles are needed:

# config system admin profile
edit "none"             <----- 'none' will be used as default profile for the wildcard admin user
next                   
<----- in 5.0 and 5.2, profile with no permissions can be created only via CLI

edit "read-write"
   set system-setting read-write
   set adom-switch read-write
   set global-policy-packages read-write
   set assignment read-write
   set read-passwd none
   set intf-mapping read-write
   set device-manager read-write
   set device-config read-write
   set device-op read-write
   set device-wan-link-load-balance read-write
   set device-ap read-write
   set device-forticlient read-write
   set device-fortiswitch read-write
   set device-profile read-write
   set policy-objects read-write
   set deploy-management read-write
   set import-policy-packages read-write
   set config-retrieve read-write
   set config-revert read-write
   set term-access read-write
   set adom-policy-packages read-write
   set vpn-manager read-write
   set realtime-monitor none
   set consistency-check read-write
   set fgd_center read-write
   set fgd-center-licensing read-write
   set fgd-center-fmw-mgmt read-write
   set fgd-center-advanced read-write
   set log-viewer read-write
   set report-viewer read-write
   set event-management read-write
next


edit "read-only"

   set system-setting read
   set adom-switch read
   set global-policy-packages read
   set assignment read
   set read-passwd none
   set intf-mapping read
   set device-manager read
   set device-config read
   set device-op read
   set device-wan-link-load-balance read
   set device-ap read
   set device-forticlient read
   set device-fortiswitch read
   set device-profile read
   set policy-objects read
   set deploy-management read
   set import-policy-packages read
   set config-retrieve read
   set config-revert read
   set term-access read
   set adom-policy-packages read
   set vpn-manager read
   set realtime-monitor none
   set consistency-check read
   set fgd_center read
   set fgd-center-licensing read
   set fgd-center-fmw-mgmt read
   set fgd-center-advanced read
   set log-viewer read
   set report-viewer read
   set event-management read
next

end






3.    Create ADOM “EMPTY” under System Settings -> All ADOMs -> Create New, this will be used as default in the wildcard admin user.
- Alternatively, any existing empty ADOM may be used

4.    Create a wildcard admin user (the settings in bold are available only via CLI).

config system admin user
    edit "raduser"                                  <- name of the admin object
        set profileid "none"                        <- the profile “none” from step 2
        set adom "EMPTY"                            <- the empty ADOM from step 3
        set policy-package "all_policy_packages"
        set user_type radius
        set radius_server "fac.test.lab"           
<- name of the server object
        set wildcard enable                  
        set radius-accprofile-override enable       
<- command updated since versions 5.6.6 / 6,0.3 see bellow
        set radius-adom-override enable             
<- command updated since versions 5.6.6 / 6.0.3 see bellow
        set radius-group-match "fmg_faz_admins"    
<- only users belonging to this group will be able to login * (command updated since versions 5.6.6 / 6.0.3 see below)
    next
end

* If not configured, all users on the RADIUS server will be able to login to FMG/FAZ and will receive access to adom "EMPTY" and permissions defined by profileid "none" 

Note: FortiManager/FortiAnalyzer up to version 5.6.3 allows only one wildcard user account. As of versions 5.6.4 / 6.0.0 , multiple wildcard administrators can be configured.

Note: As of versions 5.6.6 / 6.0.3 the admin user CLI syntax was changed as follows:
set radius-accprofile-override  =>  set ext-auth-accprofile-override
set radius-adom-override        =>  set ext-auth-adom-override
set radius-group-match          =>  set ext-authgroup-match





RADIUS side configuration:

The examples below are added mostly to explain the logic of the FMG/FAZ config and may differ depending on the specific server version.
For further details please refer to the technical documentation of the RADIUS server vendor.

The following part of the VSA dictionary is used with FMG/FAZ:
VENDOR         Fortinet                       12356
ATTRIBUTE      Fortinet‐Group‐Name             1             string
ATTRIBUTE      Fortinet‐Vdom‐Name              3             string
ATTRIBUTE      Fortinet‐Access‐Profile         6             string

For a complete list of Fortinet RADIUS attributes please refer to Technical Note: Fortinet RADIUS attribute.

1.    FortiAuthenticator (5.2)

This example includes local users that were created beforehand. For more details, please refer to the FortiAuthenticator Administration Guide.

Create new client for FortiManager:


Create the group allowing authentication to FMG/FAZ.
Add the “Fortinet-Group-Name” attribute with value “fmg_faz_admins”.
Select the users that will have FMG/FAZ access.


 
Modify the users in order to assign the access profiles and ADOM permissions, as defined above:
  - user1 – “read-write” permissions for all sections of ADOMs “TEST1” and “TEST2”
  - user2 – “read-only” permissions for all sections of ADOM “TEST2”





Test and refer to the Troubleshooting section below in case of issues.

2.    FreeRADIUS

2.1.    Add client configuration for the FMG/FAZ (etc/raddb/clients.conf or  /etc/freeradius/clients.conf)
#
client fmg_faz {
ipaddr         = 10.5.28.95
secret         = 123456789
}
#

2.2.    Verify that the following attributes are defined in the “dictionary.fortinet” file (/usr/local/share/freeradius/dictionary.fortinet)
#
VENDOR            Fortinet             12356
#
BEGIN‐VENDOR Fortinet
#
ATTRIBUTE
         Fortinet‐Group‐Name         1     string
ATTRIBUTE
         Fortinet‐Vdom‐Name          3     string
ATTRIBUTE
         Fortinet‐Access‐Profile     6     string
#
END‐VENDOR Fortinet
These are the attributes used in FMG/FAZ.
If the same server will be used with other Fortinet products, the full list of RADIUS attributes is available under Technical Note: Fortinet RADIUS attribute.
2.3.    Add the line below to the master dictionary (/etc/raddb/dictionary or /etc/freeradius/dictionary)
#
$INCLUDE         /usr/share/freeradius/dictionary.fortinet
#

2.4.    Set the RADIUS attributes in the “users” file (/etc/raddb/users or /etc/freeradius/users)
#
user1 Auth-Type = Local, Password := “1user234567”
            Fortinet-Access-Profile = “read-write”
            Fortinet-Vdom-Name = “TEST1”
            Fortinet-Vdom-Name += “TEST2”                  <---- # For multiple attributes of the same type, after the first one, use the operator “+=” to add the value to the reply items
            Fortinet-Group‐Name = “fmg_faz_admins”
            .
            .
#
user2 Auth-Type = Local, Password := “2user345678”
            Fortinet-Access-Profile = “read-only”
            Fortinet-Vdom-Name = “TEST2”
            Fortinet-Group‐Name = “fmg_faz_admins”
            .
            .
#
2.5.    Test and refer to the Troubleshooting section below in case of issues.

3.    Windows server 2016

In NPS the VSAs are defined in the Network Policies, where the conditions can contain only group match (not single user).
The test scenario can be configured in different ways, but for this demonstration 4 groups* will be used:
  - fmg_faz_RW
  - fmg_faz_RO
  - fmg_faz_TEST1
  - fmg_faz_TEST2
*There is no need to actually configure the common “fmg_faz_admins” group in AD. It can be assigned only as VSA in the policies matching these 4 groups.

user1 – Member Of - fmg_faz_RW, fmg_faz_TEST1 and fmg_faz_TEST2
user2 – Member Of - fmg_faz_RO and fmg_faz_TEST2
3.1.    Create new RADIUS Client to allow the FMG/FAZ to access the server
 
FD41322-section-3.1.jpg

3.2.    Create a "Network Policy" to "Grant Access" R/W to both TEST1 and TEST2 ADOMs

Note: The groups should be configured as separate conditions of type "Windows Groups" or "User Groups".

FD41322-section-3.2.jpg

3.3.    Open the policy properties -> Settings -> Vendor Specific -> Add…
 
FD41322-section-3.3.jpg

3.4.    In "Vendor" -> Custom. Then under "Attributes" -> Vendor specific -> Add…
 
FD41322-section-3.4.jpg

3.5.    In the "Attribute Information" dialog box -> Add…

FD41322-section-3.5.jpg

3.6.    In "Specify network access server vendor", choose "Enter Vendor Code", type "12356", and select "Yes, it conforms" to the RADIUS RFC

-> Configure Attribute…
 
FD41322-section-3.6.jpg

3.7.    For the "group-match" attribute configure:
  - Attribute number = 1 (meaning “Fortinet‐Group‐Name”)
  - Attribute Format = String
  - Value = “fmg_faz_admins” (exactly matching the group defined in step 4 of the FMG/FAZ configuration)
-> OK -> OK
 
FD41322-section-3.7.jpgImage

3.8.   Add the attributes for the admin profile:

-> Add…:
  - Attribute number = 6 (meaning “Fortinet‐Access‐Profile”)
  - Attribute Format = String
  - Value = “read-write” (exactly matching the admin profile defined in step 2 of the FMG/FAZ configuration)
 -> OK -> OK

-> Add…:
  - Attribute number = 3 (meaning “Fortinet‐Vdom‐Name”)
  - Attribute Format = String
  - Value = “TEST1” (exactly matching the ADOM name)
-> OK -> OK

-> Add…:
  - Attribute number = 3 (meaning “Fortinet‐Vdom‐Name”)
  - Attribute Format = String
  - Value = “TEST2” (exactly matching the second ADOM name)
-> OK -> OK

At this point the "Attribute Information" dialog should be looking like this:

FD41322-section-3.8.jpg 

-> OK -> OK, then proceed with the next policy.

3.9.    Create a "Network Policy" to "Grant Access" R/O to TEST2 ADOM

Note: The groups should be configured as separate conditions of type "Windows Groups" or "User Groups"
 
FD41322-section-3.9.jpg

3.10.    Repeat the steps from 2.3. to 2.8 but adding different attributes according to the policy purpose.

For this task, we’ll need the following attributes:

-> Add… the attribute for the group:
  - Attribute number = 1 (meaning “Fortinet‐Group‐Name”)
  - Attribute Format = String
  - Value = “fmg_faz_admins” (exactly matching the group defined in step 4 of the FMG/FAZ configuration)
-> OK -> OK.

-> Add… the next attribute for the admin profile:
  - Attribute number = 6 (meaning “Fortinet‐Access‐Profile”)
  - Attribute Format = String
  - Value = “read-only” (exactly matching the admin profile defined in step 2 of the FMG/FAZ configuration)
-> OK -> OK.

-> Add… the next attribute for the admin profile:
  - Attribute number = 3 (meaning “Fortinet‐Vdom‐Name”)
  - Attribute Format = String
  - Value = “TEST2” (exactly matching the ADOM name)
-> OK -> OK.

At this point the "Attribute Information" dialog should be looking like this:

FD41322-section-3.10.jpg 

-> OK -> OK.

3.11.    Test and refer to the Troubleshooting section below in case of issues.

Troubleshooting
The following CLI commands are used for troubleshooting admin login issues on FortiManager/FortiAnalyzer:
# diag debug application fnbam 255
# diag debug enable
Since version 6.4.5.
# diagnose debug application auth 8
# diagnose debug en
When done, don’t forget to reset and disable the debug:
# diag debug reset
# diag debug disable
Output Samples:

All OK:
fam_authenticate_user: User 'user1' not found - using wildcard template
fnbamd_fsm.c[1070] handle_req-Rcvd auth req 762642432 for user1 in fac.test.lab opt=29 prot=9
fnbamd_radius.c[871] fnbamd_radius_auth_send-Sent radius req to 10.109.19.6: code=1 id=12 len=90 user="user1" using CHAP
fnbamd_radius.c[247] extract_private_attrs-     adom 'TEST1'
fnbamd_radius.c[247] extract_private_attrs-     adom 'TEST2'
fnbamd_auth.c[1332] fnbamd_auth_handle_result-->Result for radius svr 10.109.19.6(0) is 0
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 762642432
fam_authenticate_user: remote authentication succeeded
__resolve_admin_prof: apply admin prof override: 'read-write'

Group mismatch:
fam_authenticate_user: User 'user3' not found - using wildcard template
fnbamd_fsm.c[1070] handle_req-Rcvd auth req 1338179584 for user3 in fac.triton.lab opt=29 prot=9
fnbamd_radius.c[871] fnbamd_radius_auth_send-Sent radius req to 10.109.19.6: code=1 id=19 len=89 user="user3" using CHAP
fnbamd_auth.c[1332] fnbamd_auth_handle_result-->Result for radius svr 10.109.19.6(0) is 0
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1338179584
only admin belongs to group 'fmg_faz_admins' can login
fam_authenticate_user: remote authentication failed/incomplete, rc=1

The string under “set radius-group-match” doesn’t match the value of from the RADIUS server.
GUI returns error: “Authentication failure. Please try again...
Admin profile mismatch:
fam_authenticate_user: User 'user1' not found - using wildcard template
fnbamd_fsm.c[1070] handle_req-Rcvd auth req 762642432 for user1 in fac.test.lab opt=29 prot=9
fnbamd_radius.c[871] fnbamd_radius_auth_send-Sent radius req to 10.109.19.6: code=1 id=12 len=90 user="user1" using CHAP
fnbamd_radius.c[247] extract_private_attrs-     adom 'TEST1'
fnbamd_radius.c[247] extract_private_attrs-     adom 'TEST2'
fnbamd_auth.c[1332] fnbamd_auth_handle_result-->Result for radius svr 10.109.19.6(0) is 0
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 762642432
fam_authenticate_user: remote authentication succeeded
__resolve_admin_prof: ignore invalid admin prof override: 'read-write'


The RADIUS user is authenticated, but has no admin profile attribute, or it is set to a profile that doesn’t exist on FMG/FAZ.
The admin profile “none” is applied and the GUI returns a “No Permission” error after login (the older versions may display blank page instead of error).
ADOM name mismatch:
fam_authenticate_user: User 'user1' not found - using wildcard template
fnbamd_fsm.c[1070] handle_req-Rcvd auth req 1309736960 for user1 in fac.triton.lab opt=29 prot=9
fnbamd_radius.c[871] fnbamd_radius_auth_send-Sent radius req to 10.109.19.6: code=1 id=18 len=89 user="user1" using CHAP
fnbamd_radius.c[243] extract_private_attrs-     adom 'TEST1' skipped: not exist
fnbamd_radius.c[243] extract_private_attrs-     adom 'TEST2' skipped: not exist
fnbamd_auth.c[1332] fnbamd_auth_handle_result-->Result for radius svr 10.109.19.6(0) is 0
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1309736960
fam_authenticate_user: remote authentication succeeded
__resolve_admin_prof: apply admin prof override: 'read-write'


The RADIUS user is authenticated, but has no VDOM/ADOM attribute or there is no such ADOM on FMG/FAZ.
So the user is routed to ADOM “EMPTY” and assigned admin profile 'read-write'.

Contributors