Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
matanaskovic
Staff
Staff

Created on ‎07-18-2019 06:29 AM Edited on ‎01-30-2024 02:31 AM By Community Manager

Article Id 197161

Technical Tip: Radius authentication with FortiAuthenticator

Description


This article explains how to authenticate SSLVPN using Radius users, which is configured on FortiAuthenticator, which includes FortiAuthenticator configuration and FortiGate SSLVPN Configuration.

Scope


Radius users should authenticate from the SSLVPN client via FortiGate.

Solution

 

Network structure


Client (10.0.0.99) <---> (10.0.0.254) FortiGate <--> (10.0.0.1) FortiAuthenticator.
FortiGate Internal interface IP: 10.0.0.254
FortiGate Internal External IP: 10.5.21.14
FortiAuthenticator IP: 10.0.0.1
SSLVPN Client IP: 10.0.0.99
LDAP IP address: 10.0.0.100

Expectations, Requirements

 

Below is an example of a remote LDAP server configuration on the FortiAuthenticator:

 
 
 
LDAP users need to be imported if they are to be assigned a 2FA method on the FortiAuthenticator:
 
 
Example User Group and Radius attribute configuration with the example attribute 'IT':
 
 
Note that the RADIUS attribute can be any string. It does not need to match the group name as in this example, as long as the RADIUS client has the same string in its group mapping.
 
Radius Client configuration on the FortiAuthenticator
 
The next steps in this article require FortiGate as a RADIUS Client with a matching RADIUS policy.
Make sure to configure the Filter under Identity Source to the group used for authentication. In this example, this will be the 'IT' group.
If there is no group added in the filter in the RADIUS policy, the RADIUS attributes will not be sent to the RADIUS client.
 
 
 
 
 
 
 
 
FortiGate configuration, starting with the Radius configuration
 
 
It is highly recommended to specify an authentication method when setting up a RADIUS connection on the FortiGate. If left to 'Auto', FortiGate will use PAP, MSCHAPv2, and CHAP (in that order), which may lead to failed authentication attempts on the RADIUS server.
 
FortiGate User Group configuration

Add the Fortinet-Group-Name RADIUS attribute string, as specified inside the FortiAuthenticator's user group setting:
 
 
 
Example SSLVPN configuration, binding the 'rad_grp' to one of the web portal:
 
 
 
Configuring Firewall policy
 
 


FortiGate CLI configuration example

 

The CLI configuration, similar to the GUI configuration, should look like this:

 

# config user radius
    edit "radius"
        set server "10.0.0.1"
        set secret xxxxxxxxxxx
    next
end

# config user group
    edit "rad_grp"
        set member "radius”

        config match
             edit 1
                set server-name "radius"
                set group-name "IT"
        next
end

# config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1”
    set port 10433
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"

    config authentication-rule
        edit 1
           set groups "rad_grp"
           set portal "full-access"
        next
end

# config firewall policy
    edit 1
        set name "vpn"
        set srcintf "ssl.root"
        set dstintf "port1"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "rad_grp"
    next
end


Verification


To verify the connection, run the following debug commands on the FortiGate CLI and then authenticate to the VPN with the FortiClient.

 

# diag debug app fnbamd -1

# diag debug enable
[1932] handle_req-Rcvd auth req 7658205 for sslvpn1 in  opt=00200401 prot=11
[424] __compose_group_list_from_req-Group 'rad_grp', type 1
[617] fnbamd_pop3_start-sslvpn1
[569] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'radius' for usergroup 'rad_grp' (2)
[336] fnbamd_create_radius_socket-Opened radius socket 16
[336] fnbamd_create_radius_socket-Opened radius socket 17
[1372] fnbamd_radius_auth_send-Compose RADIUS request
[1332] fnbamd_rad_dns_cb-10.0.0.1->10.0.0.1
[1310] __fnbamd_rad_send-Sent radius req to server 'radius': fd=16, IP=10.0.0.1(10.0.0.1:1812) code=1 id=86 len=120 user="sslvpn1" using PAP
[313] radius_server_auth-Timer of rad 'radius' is added
[743] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1015] __fnbamd_cfg_get_ldap_list_by_group-
[1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 0
[481] ldap_start-Didn't find ldap servers
[591] create_auth_session-Total 1 server(s) to try
[1381] fnbamd_auth_handle_radius_result-Timer of rad 'radius' is deleted
[1772] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[320] extract_success_vsas-FORTINET attr, type 1, val IT
[1407] fnbamd_auth_handle_radius_result-->Result for radius svr 'radius' 10.0.0.1(1) is 0
[1331] fnbamd_radius_group_match-Passed group matching
[1059] find_matched_usr_grps-Group 'rad_grp' passed group matching
[1060] find_matched_usr_grps-Add matched group 'rad_grp'(2)
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 7658205, len=2048
[747] destroy_auth_session-delete session 7658205 (deleting authentication session after success)
[2446] handle_req-Rcvd 7 req
[308] fnbamd_acct_start_START-Error getting radius server
[1469] create_acct_session-Error start acct type 7
[2460] handle_req-Error creating acct session 7

 

The FortiClient system tray should indicate the VPN has connected.
The SSLVPN Web portal will shows the following as a result:

 

Useful FNBAMD result codes in the fnbamd debug for troubleshooting:

 

0: Success
1: Deny
2: Challenged via RADIUS (password renewal or token is needed)
3: Timeout
4: Pending
5: Error
6: Framed IP Conflict
7: Token code is required (directly from FGT)
8: Need another token due to the previous one is out of sync
9: Response Buffer is too small
10: Authentication time out
11: Max Concurrent authentication sessions are reached
12: Token code is already used.

 

RADIUS codes (decimal) are assigned as follows:

        1       Access-Request
        2       Access-Accept
        3       Access-Reject
        4       Accounting-Request
        5       Accounting-Response
       11       Access-Challenge

 

Here it is also possible to see some usual (error) mschapv2 codes, than can be seen on the FortiAuthenticator side, under https://FAC_IP/debug/radius/:

 

646 ERROR_RESTRICTED_LOGON_HOURS
647 ERROR_ACCT_DISABLED
648 ERROR_PASSWD_EXPIRED
649 ERROR_NO_DIALIN_PERMISSION
691 ERROR_AUTHENTICATION_FAILURE
709 ERROR_CHANGING_PASSWORD

19438
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.