FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
ocara
Staff
Staff
Article Id 322693
Description

This article describes how to configure RADSEC between FortiAuthenticator and FortiGate. The same steps should be followed in case another non-Fortinet Radius client is used.

 

Related document:

Add RADSEC client support

 

  1. A RADSEC Web server certificate should be created on FortiAuthenticator or can be imported if it is a public certificate signed by another Authority.
  2. A Root CA  certificate that has issued a RADSEC certificate should be created on FortiAuthenticator (if FortiAuthenticator is used as CA) or should be imported on the Trusted-ROOT store of FortiAuthenticator if a public is used.
  3. RADSEC Web server certificate should be used on RADSEC Service settings of FortiAuthenticator and RADSEC service should be enabled on the interface.
  4. Root CA certificate (Issuer of RADSEC Webserver certificate) should be imported on FortiGate (RADSEC-Client) as well as Remote CA Certificate
  5. Configuration of RADSEC Client.
Scope

FortiAuthenticator, FortiGate (7.4.0+), RADSEC.

Solution
  1. Configurations to be done on FortiAuthenticator.
  • Create a Root CA certificate, which will be the issuer of the RADSEC Web server certificate:

 

A1.png

 
  • Create a RADSEC Web Server Certificate and make sure to be issued from the CA certificate created above.

 

A2.jpg

 

Note:

It is important that the common-name (CN) used on the Web-Server Certificate, in this example, 'fac.forti.lab' is resolvable to the FortiAuthenticator IP/RADIUS Server IP.

 

  • Configure RADIUS Client on FortiAuthenticator. Insert a name for the client, respective IP, and a secret (Preshared Key, PSK):

 

A3.png

 
  • Assign the RADSEC Web Server Certificate in the RADIUS Service configuration:

 

A4.jpg

 
  • Enable the RADSEC Service on the respective network interface of FortiAuthenticator.

 

A5.jpg

 

  1. Configurations to be done on FortiGate.
  • Import the RADSEC ROOT_CA certificate under the trusted Root-Store of FortiGate. This is important for FortiGate as a RADSEC client to be able to trust the RADSEC Web server certificate (this follows regular TLS).

 

b1.png

 
  • Configure RADIUS-Client:

Note:

RADSEC client support feature is added to FortiGate starting v7.4: Add RADSEC client support

 

config user radius
    edit <name>

        set server {Use the CN of Certificate}

        set secret {Secret used in communication between Server and Client}

        set transport-protocol {udp | tcp | tls}
        set ca-cert <string>
        set tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}       
        set server-identity-check {enable | disable}

 

For example:

 

B2.jpg

 

Note:

  • As Server entry the CN, reflected on the RADSEC Web Server Certificate should be used.
  • FortiGate should be able to resolve the server name/FQDN, with the IP of the RADIUS Server.
  • Check the RADSEC status from GUI:
 

B4.jpg

 

  • To check in more detail, fnbamd debug can be enabled to verify the RADIUS authentication triggered by client traffic requesting access to external networks, which requires user authentication by the firewall policy. RADSEC encryption communication will need to be established BEFORE the actual authentication happens):

 

FGT_CLI# diagnose debug application fnbamd -1

FGT_CLI# diagnose debug enable


Debug output:

 

# [1738] handle_req-Rcvd auth req 57359430307841 for test01 in  opt=0500000d prot=0 svc=7

[332] __compose_group_list_from_req-Group '', type 1

[507] create_auth_session-Session created for req id 57359430307841

[316] radius_start-eap_local=0

[896] fnbamd_cfg_get_radius_list-

[347] fnbamd_rad_new-fac.fortil.lab

[140] __init_rad_setting-Preping auth servers.

[123] __rad_server_push-Inserted rad server 'fac.fortil.lab'.

[357] fnbamd_rad_new-fac.fortil.lab created

[918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1

[936] fnbamd_rad_get_auth_server-

[1738] fnbamd_create_ssl_ctx-SSL CTX is created.

[282] __rad_create_ssl_ctx-SSL CTX is created for rad server fac.fortil.lab.

[295] fnbamd_radius_get_next_auth_prot-Next auth prot PAP

[115] fnbamd_dns_resolv_ex-DNS req ipv4 0x39 'fac.fortil.lab'

[125] fnbamd_dns_resolv_ex-DNS req ipv6 0x2039 'fac.fortil.lab'

[137] fnbamd_dns_resolv_ex-DNS maintainer started.

[1113] fnbamd_rad_auth_ctx_init-Start rad conn timer.

[744] __rad_add_job_timer-

[439] fnbamd_cfg_get_pop3_list-

[417] __fnbamd_cfg_get_pop3_list_by_group-

[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0

[433] start_remote_auth-Total 1 server(s) to try

[1881] handle_req-r=4

[247] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x39

[309] fnbamd_dns_parse_resp-req 0x39: 10.20.20.1

[1066] __fnbamd_rad_dns_cb-Resolved fac.fortil.lab:fac.fortil.lab to 10.20.20.1, cur stack size:-1

[1025] __auth_ctx_svr_push-Added addr 10.20.20.1:2083 from rad 'fac.fortil.lab'

[853] __fnbamd_rad_get_next_addr-Next available address of rad 'fac.fortil.lab': 10.20.20.1:2083.

[1043] __auth_ctx_start-Connection starts fac.fortil.lab:fac.fortil.lab, addr 10.20.20.1:2083 proto: TCP over TLS

[471] __rad_tcps_open-vfid 0, addr 10.20.20.1, src_ip , ssl_opt 1284

[1159] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 10.20.20.1:2083, source address is null, protocol number is 6, oif id is 0

[491] __rad_tcps_open-oif=0, intf_sel.mode=0, intf_sel.name=

[504] __rad_tcps_open-Server identity check is enabled.

[520] __rad_tcps_open-Still connecting 10.20.20.1.

[536] __rad_tcps_open-Start rad conn timer.

[868] __rad_conn_start-Socket 9 is created for rad 'fac.fortil.lab'.

[247] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x2039

[35] __fnbamd_dns_req_del-DNS req 0x39 (0xec567b8) is removed. Current total: 2

[47] __fnbamd_dns_req_del-DNS maintainer stopped.

[269] fnbamd_dns_parse_resp-req 0x0: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0

[1066] __fnbamd_rad_dns_cb-Resolved fac.fortil.lab:fac.fortil.lab to ::, cur stack size:0

[1031] __auth_ctx_svr_push-Failed to add addr fac.fortil.lab from rad 'fac.fortil.lab'

[1669] __verify_cb-Cert preverify ok. Depth 1. Subject '/O=RADSECCA/OU=RADSECCA/CN=RADSECCA'

[1669] __verify_cb-Cert preverify ok. Depth 0. Subject '/O=Fortinet/OU=Fortinet/CN=fac.fortil.lab'

[439] __rad_tcps_connect-tcps_connect(10.20.20.1) is established.

[765] __rad_rxtx-fd 9, state 1(Auth)

[767] __rad_rxtx-Stop rad conn timer.

[774] __rad_rxtx-

[606] fnbamd_rad_make_access_request-

[328] __create_access_request-Compose RADIUS request

[589] __create_access_request-Created RADIUS Access-Request. Len: 104.

[597] __rad_tcps_send-Sent 104/104.

[599] __rad_tcps_send-Sent all. Total 104.

[796] __rad_rxtx-Sent radius req to server 'fac.fortil.lab': fd=9, IP=fac.fortil.lab(10.20.20.1:2083) code=1 id=79 len=104

[805] __rad_rxtx-Start rad conn timer.

[765] __rad_rxtx-fd 9, state 1(Auth)

[767] __rad_rxtx-Stop rad conn timer.

[808] __rad_rxtx-

[635] __rad_tcps_recv-Rcvd 20.

[641] __rad_tcps_recv-Expected 20 bytes.

[651] __rad_tcps_recv-Received all. Total 20.

[1210] fnbamd_rad_validate_pkt-RADIUS resp code 3

[951] __rad_error-Ret 1, st = 1.

[295] fnbamd_radius_get_next_auth_prot-Next auth prot ??

[1000] __rad_error-

[546] __rad_tcps_close-closed.

[887] __rad_conn_stop-Stop rad conn timer.

[1262] fnbamd_rad_process-Result from radius svr 'fac.fortil.lab' is 1, req 57359430307841

[1451] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, State_Len: 0

[239] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 57359430307841, len=6708

[599] destroy_auth_session-delete session 57359430307841

[1260] fnbamd_rads_destroy-

[516] fnbamd_rad_auth_ctx_free-Freeing 'fac.fortil.lab' ctx

[1132] fnbamd_rad_auth_ctx_uninit-

[892] __rad_stop-

[887] __rad_conn_stop-Stop rad conn timer.

[721] __rad_del_job_timer-

[364] fnbamd_rad_free-Freeing fac.fortil.lab, ref:1

[41] __rad_server_free-Freeing fac.fortil.lab, ref:2

[369] fnbamd_rad_free-Freed

[41] __rad_server_free-Freeing fac.fortil.lab, ref:1

[519] fnbamd_rad_auth_ctx_free-

[1263] fnbamd_rads_destroy-

 

Note:

If timeouts occur, enable the timestamp display with:

 

diag debug console timestamp enable