# config system admin radius
edit "fac.test.lab" <----- Name of the server object.
set server "10.109.19.6" <----- RADIUS server IP address.
set port 1812 <----- RADIUS server port.
auth-type chap <----- {any|pap|chap|mschap2}.
set secret @Rad1us#Secr3T
next
end
# config system admin profileedit "none" <----- 'none' will be used as default profile for the wildcard admin userend
next <----- in 5.0 and 5.2, profile with no permissions can be created only via CLI
edit "read-write"
set system-setting read-write
set adom-switch read-write
set global-policy-packages read-write
set assignment read-write
set read-passwd none
set intf-mapping read-write
set device-manager read-write
set device-config read-write
set device-op read-write
set device-wan-link-load-balance read-write
set device-ap read-write
set device-forticlient read-write
set device-fortiswitch read-write
set device-profile read-write
set policy-objects read-write
set deploy-management read-write
set import-policy-packages read-write
set config-retrieve read-write
set config-revert read-write
set term-access read-write
set adom-policy-packages read-write
set vpn-manager read-write
set realtime-monitor none
set consistency-check read-write
set fgd_center read-write
set fgd-center-licensing read-write
set fgd-center-fmw-mgmt read-write
set fgd-center-advanced read-write
set log-viewer read-write
set report-viewer read-write
set event-management read-write
next
edit "read-only"
set system-setting read
set adom-switch read
set global-policy-packages read
set assignment read
set read-passwd none
set intf-mapping read
set device-manager read
set device-config read
set device-op read
set device-wan-link-load-balance read
set device-ap read
set device-forticlient read
set device-fortiswitch read
set device-profile read
set policy-objects read
set deploy-management read
set import-policy-packages read
set config-retrieve read
set config-revert read
set term-access read
set adom-policy-packages read
set vpn-manager read
set realtime-monitor none
set consistency-check read
set fgd_center read
set fgd-center-licensing read
set fgd-center-fmw-mgmt read
set fgd-center-advanced read
set log-viewer read
set report-viewer read
set event-management read
next
4.
Create a wildcard admin user (the settings in bold are available only via CLI).
config system
admin user
edit "raduser"
<- name of
the admin object
set profileid "none"
<- the
profile “none” from step 2
set adom "EMPTY"
<-
the empty ADOM from step 3
set policy-package "all_policy_packages"
set user_type radius
set radius_server
"fac.test.lab"
<-
name of the server object
set wildcard
enable
set radius-accprofile-override
enable <- command updated since versions
5.6.6 / 6,0.3 see bellow
set radius-adom-override
enable <- command
updated since versions 5.6.6 / 6.0.3 see bellow
set radius-group-match
"fmg_faz_admins" <- only users
belonging to this group will be able to login * (command updated since versions
5.6.6 / 6.0.3 see below)
next
end
* If not configured, all users on the RADIUS server will be able to login to FMG/FAZ and will receive access to adom "EMPTY" and permissions defined by profileid "none"
Note: FortiManager/FortiAnalyzer up to version 5.6.3 allows only one wildcard user account. As of versions 5.6.4 / 6.0.0 , multiple wildcard administrators can be configured.
Note: As of versions
5.6.6 / 6.0.3 the admin user CLI syntax was changed as follows:
set
radius-accprofile-override => set ext-auth-accprofile-override
set radius-adom-override =>
set ext-auth-adom-override
set radius-group-match =>
set ext-authgroup-match
VENDOR Fortinet 12356For a complete list of Fortinet RADIUS attributes please refer to Technical Note: Fortinet RADIUS attribute.
ATTRIBUTE Fortinet‐Group‐Name 1 string
ATTRIBUTE Fortinet‐Vdom‐Name 3 string
ATTRIBUTE Fortinet‐Access‐Profile 6 string
2.1. Add client configuration for the FMG/FAZ (etc/raddb/clients.conf or /etc/freeradius/clients.conf)#2.2. Verify that the following attributes are defined in the “dictionary.fortinet” file (/usr/local/share/freeradius/dictionary.fortinet)
client fmg_faz {
ipaddr = 10.5.28.95
secret = 123456789
}
##
VENDOR Fortinet 12356
#
BEGIN‐VENDOR Fortinet
#
ATTRIBUTE Fortinet‐Group‐Name 1 string
ATTRIBUTE Fortinet‐Vdom‐Name 3 string
ATTRIBUTE Fortinet‐Access‐Profile 6 string
#
END‐VENDOR FortinetThese are the attributes used in FMG/FAZ.2.3. Add the line below to the master dictionary (/etc/raddb/dictionary or /etc/freeradius/dictionary)
If the same server will be used with other Fortinet products, the full list of RADIUS attributes is available under Technical Note: Fortinet RADIUS attribute.#2.4. Set the RADIUS attributes in the “users” file (/etc/raddb/users or /etc/freeradius/users)
$INCLUDE /usr/share/freeradius/dictionary.fortinet
##2.5. Test and refer to the Troubleshooting section below in case of issues.
user1 Auth-Type = Local, Password := “1user234567”
Fortinet-Access-Profile = “read-write”
Fortinet-Vdom-Name = “TEST1”
Fortinet-Vdom-Name += “TEST2” <---- # For multiple attributes of the same type, after the first one, use the operator “+=” to add the value to the reply items
Fortinet-Group‐Name = “fmg_faz_admins”
.
.
#
user2 Auth-Type = Local, Password := “2user345678”
Fortinet-Access-Profile = “read-only”
Fortinet-Vdom-Name = “TEST2”
Fortinet-Group‐Name = “fmg_faz_admins”
.
.
#
3.1. Create new RADIUS Client to allow the FMG/FAZ to access the server
3.2. Create a "Network Policy" to "Grant Access" R/W to both TEST1 and TEST2 ADOMs
Note: The groups should be configured as separate conditions of type "Windows Groups" or "User Groups".
3.3. Open the policy properties -> Settings -> Vendor Specific -> Add…
3.4. In "Vendor" -> Custom. Then under "Attributes" -> Vendor specific -> Add…
3.5. In the "Attribute Information" dialog box -> Add…
3.6. In "Specify network access server vendor", choose "Enter Vendor Code", type "12356", and select "Yes, it conforms" to the RADIUS RFC
-> Configure Attribute…
3.7. For the "group-match" attribute configure:
- Attribute number = 1 (meaning “Fortinet‐Group‐Name”)
- Attribute Format = String
- Value = “fmg_faz_admins” (exactly matching the group defined in step 4 of the FMG/FAZ configuration)
-> OK -> OK
3.8. Add the attributes for the admin profile:
-> Add…:
- Attribute number = 6 (meaning “Fortinet‐Access‐Profile”)
- Attribute Format = String
- Value = “read-write” (exactly matching the admin profile defined in step 2 of the FMG/FAZ configuration)
-> OK -> OK
-> Add…:
- Attribute number = 3 (meaning “Fortinet‐Vdom‐Name”)
- Attribute Format = String
- Value = “TEST1” (exactly matching the ADOM name)
-> OK -> OK
-> Add…:
- Attribute number = 3 (meaning “Fortinet‐Vdom‐Name”)
- Attribute Format = String
- Value = “TEST2” (exactly matching the second ADOM name)
-> OK -> OK
At this point the "Attribute Information" dialog should be looking like this:
-> OK -> OK, then proceed with the next policy.
3.9. Create a "Network Policy" to "Grant Access" R/O to TEST2 ADOM
Note: The groups should be configured as separate conditions of type "Windows Groups" or "User Groups"
3.10. Repeat the steps from 2.3. to 2.8 but adding different attributes according to the policy purpose.
For this task, we’ll need the following attributes:
-> Add… the attribute for the group:
- Attribute number = 1 (meaning “Fortinet‐Group‐Name”)
- Attribute Format = String
- Value = “fmg_faz_admins” (exactly matching the group defined in step 4 of the FMG/FAZ configuration)
-> OK -> OK.
-> Add… the next attribute for the admin profile:
- Attribute number = 6 (meaning “Fortinet‐Access‐Profile”)
- Attribute Format = String
- Value = “read-only” (exactly matching the admin profile defined in step 2 of the FMG/FAZ configuration)
-> OK -> OK.
-> Add… the next attribute for the admin profile:
- Attribute number = 3 (meaning “Fortinet‐Vdom‐Name”)
- Attribute Format = String
- Value = “TEST2” (exactly matching the ADOM name)
-> OK -> OK.
At this point the "Attribute Information" dialog should be looking like this:
-> OK -> OK.
3.11. Test and refer to the Troubleshooting section below in case of issues.
# diag debug application fnbam 255Since version 6.4.5.
# diag debug enable
# diagnose debug application auth 8When done, don’t forget to reset and disable the debug:
# diagnose debug en
# diag debug resetOutput Samples:
# diag debug disable
fam_authenticate_user: User 'user1' not found - using wildcard templateGroup mismatch:
fnbamd_fsm.c[1070] handle_req-Rcvd auth req 762642432 for user1 in fac.test.lab opt=29 prot=9
fnbamd_radius.c[871] fnbamd_radius_auth_send-Sent radius req to 10.109.19.6: code=1 id=12 len=90 user="user1" using CHAP
fnbamd_radius.c[247] extract_private_attrs- adom 'TEST1'
fnbamd_radius.c[247] extract_private_attrs- adom 'TEST2'
fnbamd_auth.c[1332] fnbamd_auth_handle_result-->Result for radius svr 10.109.19.6(0) is 0
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 762642432
fam_authenticate_user: remote authentication succeeded
__resolve_admin_prof: apply admin prof override: 'read-write'
fam_authenticate_user: User 'user3' not found - using wildcard template
fnbamd_fsm.c[1070] handle_req-Rcvd auth req 1338179584 for user3 in fac.triton.lab opt=29 prot=9
fnbamd_radius.c[871] fnbamd_radius_auth_send-Sent radius req to 10.109.19.6: code=1 id=19 len=89 user="user3" using CHAP
fnbamd_auth.c[1332] fnbamd_auth_handle_result-->Result for radius svr 10.109.19.6(0) is 0
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1338179584
only admin belongs to group 'fmg_faz_admins' can login
fam_authenticate_user: remote authentication failed/incomplete, rc=1
The string under “set radius-group-match” doesn’t match the value of from the RADIUS server.Admin profile mismatch:
GUI returns error: “Authentication failure. Please try again...”
fam_authenticate_user: User 'user1' not found - using wildcard templateADOM name mismatch:
fnbamd_fsm.c[1070] handle_req-Rcvd auth req 762642432 for user1 in fac.test.lab opt=29 prot=9
fnbamd_radius.c[871] fnbamd_radius_auth_send-Sent radius req to 10.109.19.6: code=1 id=12 len=90 user="user1" using CHAP
fnbamd_radius.c[247] extract_private_attrs- adom 'TEST1'
fnbamd_radius.c[247] extract_private_attrs- adom 'TEST2'
fnbamd_auth.c[1332] fnbamd_auth_handle_result-->Result for radius svr 10.109.19.6(0) is 0
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 762642432
fam_authenticate_user: remote authentication succeeded
__resolve_admin_prof: ignore invalid admin prof override: 'read-write'
The RADIUS user is authenticated, but has no admin profile attribute, or it is set to a profile that doesn’t exist on FMG/FAZ.
The admin profile “none” is applied and the GUI returns a “No Permission” error after login (the older versions may display blank page instead of error).
fam_authenticate_user: User 'user1' not found - using wildcard template
fnbamd_fsm.c[1070] handle_req-Rcvd auth req 1309736960 for user1 in fac.triton.lab opt=29 prot=9
fnbamd_radius.c[871] fnbamd_radius_auth_send-Sent radius req to 10.109.19.6: code=1 id=18 len=89 user="user1" using CHAP
fnbamd_radius.c[243] extract_private_attrs- adom 'TEST1' skipped: not exist
fnbamd_radius.c[243] extract_private_attrs- adom 'TEST2' skipped: not exist
fnbamd_auth.c[1332] fnbamd_auth_handle_result-->Result for radius svr 10.109.19.6(0) is 0
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1309736960
fam_authenticate_user: remote authentication succeeded
__resolve_admin_prof: apply admin prof override: 'read-write'
The RADIUS user is authenticated, but has no VDOM/ADOM attribute or there is no such ADOM on FMG/FAZ.
So the user is routed to ADOM “EMPTY” and assigned admin profile 'read-write'.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.