Technical Tip: Configure RADIUS for authentication and authorization in FortiManager and FortiAnalyzer

Purpose

 

This article describes how to configure FortiManager/FortiAnalyzer for RADIUS authentication and authorization using access profile override, ADOM override and Vendor Specific Attributes (VSA) on RADIUS side.

Scope

Expectations, Requirements

Example Task:

The following directory users, members of the group 'fmg_faz_admins', should be granted different permissions in FortiManager/FortiAnalyzer based on their RADIUS attributes:

• user1 – 'read-write' permissions for all sections of ADOMs 'TEST1' and 'TEST2'.
• user2 – 'read-only' permissions for all sections of ADOM 'TEST2'.
• All other users – should have no access to FortiManager/FortiAnalyzer.

Configuration:
FortiManager/FortiAnalyzer configuration:

1. Configure a remote server object.

 

 

config system admin radius
  edit "fac.test.lab"               <----- Name of the server object.
    set server "10.109.19.6"        <----- RADIUS server IP address.
    set port 1812                   <----- RADIUS server port.
    auth-type chap                  <----- {any|pap|chap|mschap2}.
    set secret @Rad1us#Secr3T  
  next
end

Test RADIUS server connection and validate user name and password.

 

2. Create the admin profiles, as required:

For this example, the following profiles are needed:

 

 

config system admin profile

edit "none"             <----- 'none' will be used as default profile for the wildcard admin user.
next                    <----- In 5.0 and 5.2, a profile with no permissions can be created only via the CLI.

edit "read-write"
   set system-setting read-write
   set adom-switch read-write
   set global-policy-packages read-write
   set assignment read-write
   set read-passwd none
   set intf-mapping read-write
   set device-manager read-write
   set device-config read-write
   set device-op read-write
   set device-wan-link-load-balance read-write
   set device-ap read-write
   set device-forticlient read-write
   set device-fortiswitch read-write
   set device-profile read-write
   set policy-objects read-write
   set deploy-management read-write
   set import-policy-packages read-write
   set config-retrieve read-write
   set config-revert read-write
   set term-access read-write
   set adom-policy-packages read-write
   set vpn-manager read-write
   set realtime-monitor none
   set consistency-check read-write
   set fgd_center read-write
   set fgd-center-licensing read-write
   set fgd-center-fmw-mgmt read-write
   set fgd-center-advanced read-write
   set log-viewer read-write
   set report-viewer read-write
   set event-management read-write
next

edit "read-only"
   set system-setting read
   set adom-switch read
   set global-policy-packages read
   set assignment read
   set read-passwd none
   set intf-mapping read
   set device-manager read
   set device-config read
   set device-op read
   set device-wan-link-load-balance read
   set device-ap read
   set device-forticlient read
   set device-fortiswitch read
   set device-profile read
   set policy-objects read
   set deploy-management read
   set import-policy-packages read
   set config-retrieve read
   set config-revert read
   set term-access read
   set adom-policy-packages read
   set vpn-manager read
   set realtime-monitor none
   set consistency-check read
   set fgd_center read
   set fgd-center-licensing read
   set fgd-center-fmw-mgmt read
   set fgd-center-advanced read
   set log-viewer read
   set report-viewer read
   set event-management read
next

end

 

 

 

3. Create an ADOM 'EMPTY' under System Settings -> All ADOMs -> Create New. This will be used as default in the wildcard admin user.
   Alternatively, any existing empty ADOM may be used.

 

 

 

4. Create a wildcard admin user (the settings in bold are available only via the CLI).

 

config system admin user
    edit "raduser"                                  <- Name of the admin object.
        set profileid "none"                        <- The profile “none” from step 2.
        set adom "EMPTY"                            <- The empty ADOM from step 3.
        set policy-package "all_policy_packages"
        set user_type radius
        set radius_server "fac.test.lab"            <- Name of the server object.
        set wildcard enable                  
        set radius-accprofile-override enable       <- Command updated since versions 5.6.6 / 6.0.3, see below.
        set radius-adom-override enable             <- Command updated since versions 5.6.6 / 6.0.3, see below.
        set radius-group-match "fmg_faz_admins"     <- Only users belonging to this group will be able to login * (command updated since versions 5.6.6 / 6.0.3 see below).
    next
end

 

 

• If not configured, all users on the RADIUS server will be able to login to FortiManager/FortiAnalyzer and will receive access to the 'EMPTY' ADOM and permissions defined by the profileid 'none'.
  

Note: FortiManager/FortiAnalyzer up to version 5.6.3 allows only one wildcard user account. As of versions 5.6.4 / 6.0.0, multiple wildcard administrators can be configured.

Note: As of versions 5.6.6 / 6.0.3, the admin user CLI syntax was changed as follows:

 

set radius-accprofile-override  ->  set ext-auth-accprofile-override
set radius-adom-override        ->  set ext-auth-adom-override
set radius-group-match          ->  set ext-authgroup-match

RADIUS side configuration:

The examples below are added mostly to explain the logic of the FortiManager/FortiAnalyzer config and may differ depending on the specific server version.
For further details, refer to the technical documentation of the RADIUS server vendor.

The following part of the VSA dictionary is used with FortiManager/FortiAnalyzer:

 

VENDOR         Fortinet                       12356
ATTRIBUTE      Fortinet‐Group‐Name             1             string
ATTRIBUTE      Fortinet‐Vdom‐Name              3             string
ATTRIBUTE      Fortinet‐Access‐Profile         6             string

 

For a complete list of Fortinet RADIUS attributes, refer to Technical Note: Fortinet RADIUS attribute.

1. FortiAuthenticator (5.2).

This example includes local users that were created beforehand. For more details, please refer to the FortiAuthenticator Administration Guide.

Create a new client for FortiManager:

 

 

 

Create the group allowing authentication to FortiManager/FortiAnalyzer.
Add the 'Fortinet-Group-Name' attribute with the value 'fmg_faz_admins'.
Select the users that will have FortiManager/FortiAnalyzer access.

Modify the users in order to assign the access profiles and ADOM permissions, as defined above:

• user1 – 'read-write' permissions for all sections of ADOMs 'TEST1' and 'TEST2'.
• user2 – 'read-only' permissions for all sections of ADOM 'TEST2'.

 

 

Test and refer to the Troubleshooting section below in case of issues.

2. FreeRADIUS.

 

 

1. Add client configuration for the FortiManager/FortiAnalyzer (etc/raddb/clients.conf or  /etc/freeradius/clients.conf)

 

#
client fmg_faz {
ipaddr         = 10.5.28.95
secret         = 123456789
}

 

 

2. Verify that the following attributes are defined in the 'dictionary.fortinet' file (/usr/local/share/freeradius/dictionary.fortinet).

 

#
VENDOR            Fortinet             12356
#
BEGIN‐VENDOR Fortinet
#
ATTRIBUTE         Fortinet‐Group‐Name         1     string
ATTRIBUTE         Fortinet‐Vdom‐Name          3     string
ATTRIBUTE         Fortinet‐Access‐Profile     6     string
#
END‐VENDOR Fortinet

These are the attributes used in FortiManager/FortiAnalyzer.
If the same server will be used with other Fortinet products, the full list of RADIUS attributes is available under Technical Note: Fortinet RADIUS attribute.2.3.    Add the line below to the master dictionary (/etc/raddb/dictionary or /etc/freeradius/dictionary)

 

#
$INCLUDE         /usr/share/freeradius/dictionary.fortinet

 

 

3. Set the RADIUS attributes in the 'users' file (/etc/raddb/users or /etc/freeradius/users).

#
user1 Auth-Type = Local, Password := “1user234567”
            Fortinet-Access-Profile = “read-write”
            Fortinet-Vdom-Name = “TEST1”
            Fortinet-Vdom-Name += “TEST2”                  <- # For multiple attributes of the same type, after the first one, use the operator '+=' to add the value to the reply items.
            Fortinet-Group‐Name = “fmg_faz_admins”
            .
            .
#
user2 Auth-Type = Local, Password := “2user345678”
            Fortinet-Access-Profile = “read-only”
            Fortinet-Vdom-Name = “TEST2”
            Fortinet-Group‐Name = “fmg_faz_admins”
            .
            .

 

4. Test and refer to the Troubleshooting section below in case of issues.

 

 

 

3. Windows server 2016.
   
   In NPS the VSAs are defined in the Network Policies, where the conditions can contain only group match (not single user).
   The test scenario can be configured in different ways, but for this demonstration 4 groups* will be used:
   

 

 

• fmg_faz_RW
• fmg_faz_RO
• fmg_faz_TEST1
• fmg_faz_TEST2

 

*There is no need to actually configure the common “fmg_faz_admins” group in AD. It can be assigned only as VSA in the policies matching these 4 groups.

• user1 – Member Of - fmg_faz_RW, fmg_faz_TEST1 and fmg_faz_TEST2
• user2 – Member Of - fmg_faz_RO and fmg_faz_TEST2

 

1. Create a new RADIUS Client to allow the FortiManager/FortiAnalyzer to access the server

2. Create a 'Network Policy' to 'Grant Access' R/W to both TEST1 and TEST2 ADOMs.

Note: The groups should be configured as separate conditions of the type 'Windows Groups' or 'User Groups'.

3. Open the Policy properties -> Settings -> Vendor Specific -> Add

4. In 'Vendor' -> Custom, then under 'Attributes' -> Vendor specific -> Add…

5. In the 'Attribute Information' dialog box -> Add…

6. In 'Specify network access server vendor', choose 'Enter Vendor Code', type '12356', and select 'Yes, it conforms' to the RADIUS RFC.

Choose Configure Attribute…
 

7. For the 'group-match' attribute, configure:

 

• Attribute number = 1 (meaning 'Fortinet‐Group‐Name').
• Attribute Format = String.
• Value = 'fmg_faz_admins' (exactly matching the group defined in step 4 of the FortiManager/FortiAnalyzer configuration).
  Select OK -> OK.
  

 

8. Add the attributes for the admin profile.

 

-> Add…:

• Attribute number = 6 (meaning 'Fortinet‐Access‐Profile').
• Attribute Format = String.
• Value = 'read-write' (exactly matching the admin profile defined in step 2 of the FortiManager/FortiAnalyzer configuration).
  -> OK -> OK.

-> Add…:

• Attribute number = 3 (meaning 'Fortinet‐Vdom‐Name').
• Attribute Format = String.
• Value = 'TEST1' (exactly matching the ADOM name).
  -> OK -> OK.
  
  

-> Add…:

• Attribute number = 3 (meaning 'Fortinet‐Vdom‐Name').
• Attribute Format = String.
• Value = 'TEST2' (exactly matching the second ADOM name).
  -> OK -> OK.
  
  

At this point the 'Attribute Information' dialog should be looking like this:

 
-> OK -> OK, then proceed with the next policy.

 

9. Create a 'Network Policy' to 'Grant Access' R/O to TEST2 ADOM.

Note: The groups should be configured as separate conditions of type 'Windows Groups' or 'User Groups'
 

 

10. Repeat the steps from 2.3. to 2.8 but add different attributes according to the policy purpose.

For this task, use the following attributes:

-> Add… the attribute for the group:

• Attribute number = 1 (meaning 'Fortinet‐Group‐Name').
• Attribute Format = String.
• Value = 'fmg_faz_admins' (exactly matching the group defined in step 4 of the FortiManager/FortiAnalyzer configuration).
  -> OK -> OK.
  
  

-> Add… the next attribute for the admin profile:

• Attribute number = 6 (meaning 'Fortinet‐Access‐Profile').
• Attribute Format = String.
• Value = 'read-only' (exactly matching the admin profile defined in step 2 of the FortiManager/FortiAnalyzer configuration).
  -> OK -> OK.
  
  

-> Add… the next attribute for the admin profile:

• Attribute number = 3 (meaning 'Fortinet‐Vdom‐Name').
• Attribute Format = String.
• Value = 'TEST2' (exactly matching the ADOM name).
  -> OK -> OK.
  
  

At this point the 'Attribute Information' dialog should be looking like this:

 
-> OK -> OK.

11. Test and refer to the Troubleshooting section below in case of issues.

Troubleshooting:

The following CLI commands are used for troubleshooting admin login issues on FortiManager/FortiAnalyzer:

 

# diag debug application fnbam 255
# diag debug enable

Since version 6.4.5.

# diagnose debug application auth 8
# diagnose debug en

 

When done, don’t forget to reset and disable the debug:

 

# diag debug reset
# diag debug disable

 

Output Samples:

All OK:

 

fam_authenticate_user: User 'user1' not found - using wildcard template
fnbamd_fsm.c[1070] handle_req-Rcvd auth req 762642432 for user1 in fac.test.lab opt=29 prot=9
fnbamd_radius.c[871] fnbamd_radius_auth_send-Sent radius req to 10.109.19.6: code=1 id=12 len=90 user="user1" using CHAP
fnbamd_radius.c[247] extract_private_attrs-     adom 'TEST1'
fnbamd_radius.c[247] extract_private_attrs-     adom 'TEST2'
fnbamd_auth.c[1332] fnbamd_auth_handle_result-->Result for radius svr 10.109.19.6(0) is 0
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 762642432
fam_authenticate_user: remote authentication succeeded
__resolve_admin_prof: apply admin prof override: 'read-write'

Group mismatch:

fam_authenticate_user: User 'user3' not found - using wildcard template
fnbamd_fsm.c[1070] handle_req-Rcvd auth req 1338179584 for user3 in fac.triton.lab opt=29 prot=9
fnbamd_radius.c[871] fnbamd_radius_auth_send-Sent radius req to 10.109.19.6: code=1 id=19 len=89 user="user3" using CHAP
fnbamd_auth.c[1332] fnbamd_auth_handle_result-->Result for radius svr 10.109.19.6(0) is 0
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1338179584
only admin belongs to group 'fmg_faz_admins' can login
fam_authenticate_user: remote authentication failed/incomplete, rc=1

 

The string under 'set radius-group-match' does not match the value from the RADIUS server.
The GUI returns the following error: 'Authentication failure. Please try again...'

Admin profile mismatch:

 

fam_authenticate_user: User 'user1' not found - using wildcard template
fnbamd_fsm.c[1070] handle_req-Rcvd auth req 762642432 for user1 in fac.test.lab opt=29 prot=9
fnbamd_radius.c[871] fnbamd_radius_auth_send-Sent radius req to 10.109.19.6: code=1 id=12 len=90 user="user1" using CHAP
fnbamd_radius.c[247] extract_private_attrs-     adom 'TEST1'
fnbamd_radius.c[247] extract_private_attrs-     adom 'TEST2'
fnbamd_auth.c[1332] fnbamd_auth_handle_result-->Result for radius svr 10.109.19.6(0) is 0
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 762642432
fam_authenticate_user: remote authentication succeeded
__resolve_admin_prof: ignore invalid admin prof override: 'read-write'

The RADIUS user is authenticated, but has no admin profile attribute, or it is set to a profile that does not exist on FortiManager/FortiAnalyzer.

The admin profile 'none' is applied and the GUI returns a 'No Permission' error after login (the older versions may display a blank page instead of an error).

ADOM name mismatch:

 

fam_authenticate_user: User 'user1' not found - using wildcard template
fnbamd_fsm.c[1070] handle_req-Rcvd auth req 1309736960 for user1 in fac.triton.lab opt=29 prot=9
fnbamd_radius.c[871] fnbamd_radius_auth_send-Sent radius req to 10.109.19.6: code=1 id=18 len=89 user="user1" using CHAP
fnbamd_radius.c[243] extract_private_attrs-     adom 'TEST1' skipped: not exist
fnbamd_radius.c[243] extract_private_attrs-     adom 'TEST2' skipped: not exist
fnbamd_auth.c[1332] fnbamd_auth_handle_result-->Result for radius svr 10.109.19.6(0) is 0
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1309736960
fam_authenticate_user: remote authentication succeeded
__resolve_admin_prof: apply admin prof override: 'read-write'

The RADIUS user is authenticated, but has no VDOM/ADOM attribute or there is no such ADOM on FortiManager/FortiAnalyzer.
So the user is routed to the ADOM 'EMPTY' and assigned the admin profile 'read-write'.