Created on
07-18-2019
06:29 AM
Edited on
04-07-2025
06:57 AM
By
Jean-Philippe_P
Description
This article explains how to authenticate SSL VPN using RADIUS users, which is configured on FortiAuthenticator, which includes FortiAuthenticator configuration and FortiGate SSL VPN Configuration.
Scope
Radius users should authenticate from the SSL VPN client via FortiGate.
Solution
Network structure.
Client (10.0.0.99) <---> (10.0.0.254) FortiGate <--> (10.0.0.1) FortiAuthenticator.
FortiGate Internal interface IP: 10.0.0.254.
FortiGate Internal External IP: 10.5.21.14.
FortiAuthenticator IP: 10.0.0.1.
SSLVPN Client IP: 10.0.0.99.
LDAP IP address: 10.0.0.100.
Expectations, Requirements.
Below is an example of a remote LDAP server configuration on the FortiAuthenticator:



Make sure to configure the Filter under Identity Source to the group used for authentication. In this example, this will be the 'IT' group.
If there is no group added in the filter in the RADIUS policy, the RADIUS attributes will not be sent to the RADIUS client.






Note: If there is a mobile FortiToken assigned to a dedicated user and there is a need to receive push notifications, then there is a need to enable the 'Allow FortiToken Mobile push notification" option under "All configured password and OTP factors'.








FortiGate CLI configuration example.
The CLI configuration, similar to the GUI configuration, should look like this:
config user radius
edit "radius"
set server "10.0.0.1"
set secret xxxxxxxxxxx
next
end
config user group
edit "rad_grp"
set member "radius”
config match
edit 1
set server-name "radius"
set group-name "IT"
next
end
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1”
set port 10433
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "rad_grp"
set portal "full-access"
next
end
config firewall policy
edit 1
set name "vpn"
set srcintf "ssl.root"
set dstintf "port1"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set groups "rad_grp"
next
end
Verification.
To verify the connection, run the following debug commands on the FortiGate CLI and then authenticate to the VPN with the FortiClient.
diagnose debug app fnbamd -1
diagnose debug enable
[1932] handle_req-Rcvd auth req 7658205 for sslvpn1 in opt=00200401 prot=11
[424] __compose_group_list_from_req-Group 'rad_grp', type 1
[617] fnbamd_pop3_start-sslvpn1
[569] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'radius' for usergroup 'rad_grp' (2)
[336] fnbamd_create_radius_socket-Opened radius socket 16
[336] fnbamd_create_radius_socket-Opened radius socket 17
[1372] fnbamd_radius_auth_send-Compose RADIUS request
[1332] fnbamd_rad_dns_cb-10.0.0.1->10.0.0.1
[1310] __fnbamd_rad_send-Sent radius req to server 'radius': fd=16, IP=10.0.0.1(10.0.0.1:1812) code=1 id=86 len=120 user="sslvpn1" using PAP
[313] radius_server_auth-Timer of rad 'radius' is added
[743] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1015] __fnbamd_cfg_get_ldap_list_by_group-
[1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 0
[481] ldap_start-Didn't find ldap servers
[591] create_auth_session-Total 1 server(s) to try
[1381] fnbamd_auth_handle_radius_result-Timer of rad 'radius' is deleted
[1772] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[320] extract_success_vsas-FORTINET attr, type 1, val IT
[1407] fnbamd_auth_handle_radius_result-->Result for radius svr 'radius' 10.0.0.1(1) is 0
[1331] fnbamd_radius_group_match-Passed group matching
[1059] find_matched_usr_grps-Group 'rad_grp' passed group matching
[1060] find_matched_usr_grps-Add matched group 'rad_grp'(2)
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 7658205, len=2048
[747] destroy_auth_session-delete session 7658205 (deleting authentication session after success)
[2446] handle_req-Rcvd 7 req
[308] fnbamd_acct_start_START-Error getting radius server
[1469] create_acct_session-Error start acct type 7
[2460] handle_req-Error creating acct session 7
The FortiClient system tray should indicate that the VPN has connected.
The SSLVPN Web portal will show the following as a result:

Useful FNBAMD result codes in the fnbamd debug for troubleshooting:
0: Success
1: Deny
2: Challenged via RADIUS (password renewal or token is needed)
3: Timeout
4: Pending
5: Error
6: Framed IP Conflict
7: Token code is required (directly from FGT)
8: Need another token due to the previous one is out of sync
9: Response Buffer is too small
10: Authentication time out
11: Max Concurrent authentication sessions are reached
12: Token code is already used.
RADIUS codes (decimal) are assigned as follows:
1 Access-Request
2 Access-Accept
3 Access-Reject
4 Accounting-Request
5 Accounting-Response
11 Access-Challenge
Here, it is also possible to see some usual (error) mschapv2 codes that can be seen on the FortiAuthenticator side, under https://FAC_IP/debug/radius/:
646 ERROR_RESTRICTED_LOGON_HOURS
647 ERROR_ACCT_DISABLED
648 ERROR_PASSWD_EXPIRED
649 ERROR_NO_DIALIN_PERMISSION
691 ERROR_AUTHENTICATION_FAILURE
709 ERROR_CHANGING_PASSWORD