Skip to main content
michal1
michal1
New Member
March 7, 2015
Solved

FreeRADIUS using Fortinet-Group-Name attribute

  • March 7, 2015
  • 6 replies
  • 34811 views

Hello,

 

I want to configure SSL VPN authentication using FreeRADIUS, but I want only users belonging to specific group to have access to the network. Users and groups are stored on FreeRADIUS host as a local linux users and groups. How FreeRADIUS user config file should look like to achieve this?

    Best answer by xsilver_FTNT

    FortiGate is sending Access-Request with user name and password and in exchange expect either Access-Reject (user authentication failed) or Access-Accept (user is OK). If you have a group match set to something but "any" then FortiGate does string comparison of configured towards Fortinet-Group-Name AVP which should be provided by RADIUS server inside Access-Accept. Note that it is simple string comparison, and the group string sent by RADIUS server might not have any relevance to actual user groups on the server itself.

     

    Simple FreeRADIUS config example (user=grptest, password=fortinet, memberOf=group1):

    ---

    grptest   Cleartext-Password := "fortinet"            User-Service-Type = Login-User,            Group = "group1",            Fortinet-Group-Name = "group1"

    6 replies

    emnoc
    emnoc
    New Member
    March 8, 2015

    You need to look at the "Fortinet-Group-Name"  attribute not 100% sure how the  radius conf or user db would look like. But what I would do is to  run the freeradius daemon in dbeug mode and see what attribute is being sent by the NAS client ( FGT ) and then research the  freeradius forums for examples

     

    I think you can debug this from the fortigate also.

     

     

     

     

    xsilver_FTNT
    Staff
    xsilver_FTNTAnswer
    Staff
    March 9, 2015

    FortiGate is sending Access-Request with user name and password and in exchange expect either Access-Reject (user authentication failed) or Access-Accept (user is OK). If you have a group match set to something but "any" then FortiGate does string comparison of configured towards Fortinet-Group-Name AVP which should be provided by RADIUS server inside Access-Accept. Note that it is simple string comparison, and the group string sent by RADIUS server might not have any relevance to actual user groups on the server itself.

     

    Simple FreeRADIUS config example (user=grptest, password=fortinet, memberOf=group1):

    ---

    grptest   Cleartext-Password := "fortinet"            User-Service-Type = Login-User,            Group = "group1",            Fortinet-Group-Name = "group1"

    emnoc
    emnoc
    New Member
    March 9, 2015

    Yeah what he said, the client only sends the NAS_ID  user and the encrypted hashed  based on secret. You will need to publish in your radius the other attributes.

     

    10:11:30.014958 IP (tos 0x0, ttl 62, id 59575, offset 0, flags [none], proto UDP (17), length 88)     x.x.x.x.1043 > 10.2.1.7.1812: [udp sum ok] RADIUS, length: 60     Access Request (1), id: 0x00, Authenticator: 6e9223245dc594207be6c3407c1c49ce       NAS ID Attribute (32), length: 8, Value: HOTEL01         0x0000:  4745 5445 5341       Username Attribute (1), length: 14, Value: kfelixsslvpn         0x0000:  6b66 656c 6978 7373 6c76 706e       Password Attribute (2), length: 18, Value:         0x0000:  ae28 1a68 3263 8358 0934 e71d a1d4 5bf7

    I don't know what the check book "enable groups" does on the fortigtate  remote authentication but you might want to play around with it.

     

    Hint: If you have a radtest utility on  teh radius server, you could probably conduct a radius submittal and see debug the radius server before you pull in the  fortigate

     

     

    btw: here's a snapshot of radtest against a radius service to validate the attribute;

     

     

    RAD01: RAD01: radtest testing password  localhost 0 testing123 Sending Access-Request of id 8 to 127.0.0.1 port 1812     User-Name = "testing"     User-Password = "password"     NAS-IP-Address = 10.200.41.55     NAS-Port = 0     Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=8, length=42     Service-Type = Login-User     Fortinet-Group-Name = "SSLVPNSA" RAD01:

    It was done locally before the fortinet_client hope that helps.

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    March 9, 2015

    .. and if you would combine that RADIUS output showing radtest properly populating Fortinet_Group_Name with bellow config, then any user on RADIUS server who present that string ("SSLVPNSA" , and I assume that just selected users will do so) will pass and will be seen as member of the "GRP_RADIUS-1" on FGT

     

    config user group

        edit "GRP_RADIUS-1"         set member "RADIUS-SERVER.11"             config match                 edit 1                     set server-name "RADIUS-SERVER.11"                     set group-name "SSLVPNSA"                 next             end     next

     

    emnoc
    emnoc
    New Member
    March 9, 2015

    I never seen the  string submitted by the NAS client that's what I was suspecting the "enable group" option does. I will look more into it but that was my preliminary  analysis and I haven't really done a lot with freeradius

     

     

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    March 10, 2015

    NAS Client, in this case FortiGate does not send Fortinet-Group-Name, never! It expect that AVP being provided by NAS server (RADIUS server) in Access-Accept (if user pass authentication).

    And then FortiGate compare string-by-string what is in group match config and what he got from RADIUS server. If it matches perfectly (100% match) then the user is considered as member of that group, otherwise he isn't.

     

     

    "Include in every user group" option is another story.

    In CLI it's "set all-usergroup          Enable/disable automatically include this RADIUS server to all user groups."

    So if used then this RADIUS server is silently used in every possible user group. It is not even listed as member of the group. Handful when you want to add single RADIUS server into too many groups and you know the consequences. Usually it makes more troubles and questions like "why the user passed auth when he is not on member list?".

     

    emnoc
    emnoc
    New Member
    March 12, 2015

    Thanks for the clarity. Like I said I never seen any string per-se for the group from the NAS client. You can run the server in a debug and see that and confirm.

     

    michal1
    michal1Author
    New Member
    March 25, 2015

    Ok, after some time I've managed to set up RADIUS on Synology device. Very simple and short setup in fact.

    There are some non standard config files but generally it is still FreeRAIUS server, inside file located at:

    /usr/local/synoradius/rad_users, I have:

     

    DEFAULT Auth-Type = System, Group-Name == "MyGroup"
            Fortinet-Group-Name = "MyGroup"

     

    It works as I expected.

    Terms & ConditionsAccessibility statement