New Member

Question

Radius user group mapping problem

Forum|Forum|7 years ago
August 6, 2018
2 replies
30573 views

Hello everybody, I have a Fortinet VM-64 (version v5.4.7,build6446 ) to provide SSLVPN service. My customer provides a radius server for SSLVPN authentication. But their radius server can't response group information when doing authentication. So I create many account with radius on the VM-64, and mapping them with different group. But there is a problem with group mapping. When client use a account which exist in the radius server but doesn't exist in the VM-64 to login SSLVPN, it will login success and mapping to group for the first account in the account list. For example: ----------------- I have two account in the VM-64. AAA in radius is group-X (It's the first account in the list) BBB in radius is group-Y There are three account in the radius server.(Because the radius server is not only for SSLVPN) AAA BBB CCC When client use CCC to login SSLVPN, he will login success and mapping to group-X. ------------------- Because different group have different access control list, so it will be a issue in security. And it's strange to mapping a account which doesn't exist to a exist group. It look like a vulnerability or program logic error in the authentication? Could you kindly give me some suggestion to resolve it? Thanks a lot : )

xsilver_FTNT

Staff

Hi,

to be honest I do not understand your config.

But if you do have SSLVPN bonded to firewall user group, which do contain (is bonded) to RADIUS server.

Then login of CCC is authenticated against the RADIUS, not against your local user on FGVM-64 (as there is no CCC user).

If you do mix local users and RADIUS bond in a single user group ...

config user group

edit "SOME-GROUP"

set member "AAA","BBB","RADIUS-SERVER"

.. then local users like AAA or BBB are checked first (so if there is AAA user on RADIUS-SERVER it will not be checked as local AAA user exist and local users has preference).

If there is no local user then anyone else will be passed and tried against RADIUS-SERVER .. and if server replies Access-Accept, then user is authenticated and allowed to pass through.

If you do want to drive group membership for SSL and divide users into groups according to their presence on RADIUS server, then check RADIUS group match feature of FortiOS (similar feature is for LDAP).

More on http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD36464

yugiohxAuthor

New Member

xsilver wrote:
Hi,
to be honest I do not understand your config.
But if you do have SSLVPN bonded to firewall user group, which do contain (is bonded) to RADIUS server.
Then login of CCC is authenticated against the RADIUS, not against your local user on FGVM-64 (as there is no CCC user).
If you do mix local users and RADIUS bond in a single user group ...
config user group
edit "SOME-GROUP"
set member "AAA","BBB","RADIUS-SERVER"

.. then local users like AAA or BBB are checked first (so if there is AAA user on RADIUS-SERVER it will not be checked as local AAA user exist and local users has preference).
If there is no local user then anyone else will be passed and tried against RADIUS-SERVER .. and if server replies Access-Accept, then user is authenticated and allowed to pass through.

If you do want to drive group membership for SSL and divide users into groups according to their presence on RADIUS server, then check RADIUS group match feature of FortiOS (similar feature is for LDAP).
More on http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD36464

Thanks for reply,and sorry for not description my config.

In this situation,there is about 300 accounts on the radius, but just 50 accounts need SSLVPN.

And for some reason, the radius server admin can't divide accounts by whether it need SSLVPN or not on the radius server.

What I want to do is checking username and password by radius server, and mapping group by fortigate.

So I config it on the fortigate like what I do on the Juniper SSLVPN.

1.set a radius server

2.create some group

3.create many accounts with radius,and mapping them to group.

Is this config thinking not functional for fortigate?

xsilver_FTNT

Staff

Hi,

if RADIUS admin can add AVP Fortinet-Group-Name into some specific user accounts it would be enough to divide them by use of RADIUS group match.

If you are unable to convince RADIUS admin to change config, then what should work is:

config user radius edit "RADIUS-SERVER" set server "10.10.10.69" set secret SuperSecretPassword

next end

config user local edit "userrad-1" set type radius set radius-server "RADIUS-SERVER" next end

config user group edit "RADIUS-GRP" set member "userrad-1" "userrad-2"

next end

config vpn ssl settings

... other ssl settings you have

config authentication-rule edit 1 set groups "RADIUS-GRP" set portal "full-access" next end end

emnoc

New Member

Yes , I have to agree with the last pose VSA is what you want and if you have a RADIUS server that does not recognize VSA than abandon it

FWIW here the fortinet VSA

http://kb.fortinet.com/kb/viewContent.do?externalId=FD36919&sliceId=1

yugiohxAuthor

New Member

Thanks for reply: )

I agree with the solution which if radius can reply group attribute.

But the guys manage the radius is a senior engineer who don't like to change things.

It's diffcult to ask him to editing about 200 account for me....Orz

emnoc

New Member

Changing the user or use a Radius-aaS like jumpcloud

Ken

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded