Description |
This article describes how to configure RADSEC between FortiAuthenticator and FortiGate. The same steps should be followed in case another non-Fortinet Radius client is used.
Related document:
|
Scope |
FortiAuthenticator, FortiGate (7.4.0+), RADSEC. |
Solution |
Note: It is important that the common-name (CN) used on the Web-Server Certificate, in this example, 'fac.forti.lab' is resolvable to the FortiAuthenticator IP/RADIUS Server IP.
Note: RADSEC client support feature is added to FortiGate starting v7.4: Add RADSEC client support
config user radius set server {Use the CN of Certificate} set secret {Secret used in communication between Server and Client} set transport-protocol {udp | tcp | tls}
For example:
Note:
FGT_CLI# diagnose debug application fnbamd -1 FGT_CLI# diagnose debug enable
# [1738] handle_req-Rcvd auth req 57359430307841 for test01 in opt=0500000d prot=0 svc=7 [332] __compose_group_list_from_req-Group '', type 1 [507] create_auth_session-Session created for req id 57359430307841 [316] radius_start-eap_local=0 [896] fnbamd_cfg_get_radius_list- [347] fnbamd_rad_new-fac.fortil.lab [140] __init_rad_setting-Preping auth servers. [123] __rad_server_push-Inserted rad server 'fac.fortil.lab'. [357] fnbamd_rad_new-fac.fortil.lab created [918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1 [936] fnbamd_rad_get_auth_server- [1738] fnbamd_create_ssl_ctx-SSL CTX is created. [282] __rad_create_ssl_ctx-SSL CTX is created for rad server fac.fortil.lab. [295] fnbamd_radius_get_next_auth_prot-Next auth prot PAP [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x39 'fac.fortil.lab' [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x2039 'fac.fortil.lab' [137] fnbamd_dns_resolv_ex-DNS maintainer started. [1113] fnbamd_rad_auth_ctx_init-Start rad conn timer. [744] __rad_add_job_timer- [439] fnbamd_cfg_get_pop3_list- [417] __fnbamd_cfg_get_pop3_list_by_group- [449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0 [433] start_remote_auth-Total 1 server(s) to try [1881] handle_req-r=4 [247] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x39 [309] fnbamd_dns_parse_resp-req 0x39: 10.20.20.1 [1066] __fnbamd_rad_dns_cb-Resolved fac.fortil.lab:fac.fortil.lab to 10.20.20.1, cur stack size:-1 [1025] __auth_ctx_svr_push-Added addr 10.20.20.1:2083 from rad 'fac.fortil.lab' [853] __fnbamd_rad_get_next_addr-Next available address of rad 'fac.fortil.lab': 10.20.20.1:2083. [1043] __auth_ctx_start-Connection starts fac.fortil.lab:fac.fortil.lab, addr 10.20.20.1:2083 proto: TCP over TLS [471] __rad_tcps_open-vfid 0, addr 10.20.20.1, src_ip , ssl_opt 1284 [1159] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 10.20.20.1:2083, source address is null, protocol number is 6, oif id is 0 [491] __rad_tcps_open-oif=0, intf_sel.mode=0, intf_sel.name= [504] __rad_tcps_open-Server identity check is enabled. [520] __rad_tcps_open-Still connecting 10.20.20.1. [536] __rad_tcps_open-Start rad conn timer. [868] __rad_conn_start-Socket 9 is created for rad 'fac.fortil.lab'. [247] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x2039 [35] __fnbamd_dns_req_del-DNS req 0x39 (0xec567b8) is removed. Current total: 2 [47] __fnbamd_dns_req_del-DNS maintainer stopped. [269] fnbamd_dns_parse_resp-req 0x0: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0 [1066] __fnbamd_rad_dns_cb-Resolved fac.fortil.lab:fac.fortil.lab to ::, cur stack size:0 [1031] __auth_ctx_svr_push-Failed to add addr fac.fortil.lab from rad 'fac.fortil.lab' [1669] __verify_cb-Cert preverify ok. Depth 1. Subject '/O=RADSECCA/OU=RADSECCA/CN=RADSECCA' [1669] __verify_cb-Cert preverify ok. Depth 0. Subject '/O=Fortinet/OU=Fortinet/CN=fac.fortil.lab' [439] __rad_tcps_connect-tcps_connect(10.20.20.1) is established. [765] __rad_rxtx-fd 9, state 1(Auth) [767] __rad_rxtx-Stop rad conn timer. [774] __rad_rxtx- [606] fnbamd_rad_make_access_request- [328] __create_access_request-Compose RADIUS request [589] __create_access_request-Created RADIUS Access-Request. Len: 104. [597] __rad_tcps_send-Sent 104/104. [599] __rad_tcps_send-Sent all. Total 104. [796] __rad_rxtx-Sent radius req to server 'fac.fortil.lab': fd=9, IP=fac.fortil.lab(10.20.20.1:2083) code=1 id=79 len=104 [805] __rad_rxtx-Start rad conn timer. [765] __rad_rxtx-fd 9, state 1(Auth) [767] __rad_rxtx-Stop rad conn timer. [808] __rad_rxtx- [635] __rad_tcps_recv-Rcvd 20. [641] __rad_tcps_recv-Expected 20 bytes. [651] __rad_tcps_recv-Received all. Total 20. [1210] fnbamd_rad_validate_pkt-RADIUS resp code 3 [951] __rad_error-Ret 1, st = 1. [295] fnbamd_radius_get_next_auth_prot-Next auth prot ?? [1000] __rad_error- [546] __rad_tcps_close-closed. [887] __rad_conn_stop-Stop rad conn timer. [1262] fnbamd_rad_process-Result from radius svr 'fac.fortil.lab' is 1, req 57359430307841 [1451] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, State_Len: 0 [239] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 57359430307841, len=6708 [599] destroy_auth_session-delete session 57359430307841 [1260] fnbamd_rads_destroy- [516] fnbamd_rad_auth_ctx_free-Freeing 'fac.fortil.lab' ctx [1132] fnbamd_rad_auth_ctx_uninit- [892] __rad_stop- [887] __rad_conn_stop-Stop rad conn timer. [721] __rad_del_job_timer- [364] fnbamd_rad_free-Freeing fac.fortil.lab, ref:1 [41] __rad_server_free-Freeing fac.fortil.lab, ref:2 [369] fnbamd_rad_free-Freed [41] __rad_server_free-Freeing fac.fortil.lab, ref:1 [519] fnbamd_rad_auth_ctx_free- [1263] fnbamd_rads_destroy-
Note: If timeouts occur, enable the timestamp display with:
diag debug console timestamp enable |