FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
ssteo
Staff
Staff
Article Id 357319
Description This article describes how to configure FortiAuthenticator to integrate Linux Ubuntu (radius client).
FortiToken Mobile as two factor authentication.
Scope FortiAuthenticator, Linux Ubuntu.
Solution

Linux Ubuntu configuration.

  1. Install the lipam-radius-auth package:

 

sudo apt-get install libpam-radius-auth

 

  1. Configure radius in Ubuntu by adding FortiAuthenticator IP and secret:

 

sudo nano /etc/pam_radius_auth.conf

 

radius1.png

 

  1. Modify the SSHD configuration by adding config which is highlighted in yellow. This is to allow inject radius authentication:

 

sudo nano /etc/pam.d/sshd

 

radius2.png

 

  1. Modify sshd_config configuration by adding config which is highlighted in yellow. This is to allow two-factor authentication for SSH.

 

sudo nano /etc/ssh/sshd_config

 

radius3.png

 

Screenshot 2024-12-06 000955.png

 

Note: the keyboard-interactive authentication protocol in SSHv2 is effectively the replacement for the challenge-response protocol in SSHv1

 

  1. Restart the SSHD service:

 

systemctl restart sshd

 

  1. Add a user which the same as a username that was configured in FortiAuthenticator:

 

sudo useradd fac_teo

 

  1. Run the command 'tail -f /var/log/auth.log' to troubleshoot the Radius issue in Ubuntu.

 

FortiAuthenticator configuration.

  1. Enable Radius under System-> Network -> Interfaces.

 

radius7.png

 

  1. Configure the Radius client under Authentication -> RADIUS Service -> Clients.

 

radius4.png

 

  1. Configure Radius policies under Authentication -> RADIUS service -> Policies.

 

radius5.png

 

Select 'Next' until the end and select 'Save and exit'.

 

  1. Configure a local user account with the username that same as the username that was created in Ubuntu. Enable One-Time Password (OTP) authentication by selecting FortiToken.

 

radius6.png

 

Test result:

Login using username + password then it will prompt for FortiToken code.

 

radius8.png

 

Verify the log from FortiAuthenticator under Logging -> Logs.

 

radius9.png

 

Note:

 

To help with troubleshooting, additional logs can be gathered from the FortiAuthenticator Debug page. Navigate to https://<FortiAuthenticator-IP-or-FQDN>/debug, then select RADIUS -> Authentication. Make sure to enable debug mode or detailed debug mode to capture the necessary details.

 

KB-Edit-2.png

 

For more debug information, check the documentation: Debug Logs FortiAuthenticator.

 

Additionally, a packet capture can provide valuable insights into the RADIUS messages exchanged with the client. This capture can be performed through the CLI with the following command:

 

execute tcpdump -nnvvi any port 1812