FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
matanaskovic
Staff
Staff
Article Id 192308
Description This article will describes how to create an admin profile and have the radius server select the appropriate profile for a Radius user.
Scope Fortigate, Fortiauthenticator
Solution
  1. Configure the FortiGate with the Radius server.

Go to User & Device -> Authentication -> Radius Server.

 

Name: FGT-Radius
Primary Server IP/Name: 10.10.10.10
Primary Server Secret: radius_secret

 

Or run the equivalent in the CLI:

 

config user radius
    edit "FGT-Radius"
        set server 10.10.10.10
        set secret radius_secret
    next
end

 

Anthony_E_0-1655717840859.png

 

Note.

Can optionally set a source IP address for the FortiGate to use when contacting the Radius server by using the following commands:

 

config user radius
    edit "FGT-Radius"
        set source-ip 192.168.1.99
    next
end

 

  1. Configure the RADIUS server to send the appropriate vendor-specific attributes (VSAs).

    Verify that the RADIUS server is configured to send down the appropriate vendor-specific attributes (VSA). 

    In order to send an appropriate group membership and access profile VSA 1 and VSA 6 will need to be set.

     

    VENDOR fortinet 12356
    ATTRIBUTE Fortinet-Group-Name       1   string
    ATTRIBUTE Fortinet-Access-Profile   6   string

     

    In this example:

     

    Attribute 1 is set to Firewall_Admins.
    Attribute 6 is set to Radius_User_Access.

     

    A list of all of Fortinet's VSA is available here.

     

    cchiriches_0-1690727405833.png

     

    cchiriches_1-1690727405836.png

     

     

  2. Create a user group on FortiGate.

     

    Go to User & Device -> User -> User group and create a Firewall group. 

    Create New Remote Server and add the Radius Server. 

    In the group's field, include the string that was configured as Attribute 1 on the RADIUS server. 
    In this example, the string used was 'Firewall_Admins'.

    Name: Radius_group
    Remote group:
    Remote Server: FGT-Radius
    Groups: Firewall_Admins

     

    cchiriches_2-1690727405837.png

     

    cchiriches_3-1690727405837.png

     

     

  3. Create two admin profiles.

    Go to System -> Admin -> Admin Profiles and create 2 profiles:

    First profile.


    Profile Name: no_access
    Access Control: None

     

    cchiriches_4-1690727405838.png

     

    Second profile.


    Profile Name: Radius_User_Access (note that the name of the profile needs to match which is specified for VSA 6).


    Access Control: Specify the desired permissions.

     

    cchiriches_5-1690727405839.png

     

  4. Create an admin user.

    • Go to System -> Admin -> Admin -> Administrators.

    • Create a new admin with the type Remote.

    • Select the User Group.

    • Select type wildcard.

    • Select the no_access profile .

 

 

Then in the CLI run the following in order to allow the profile passed down by the radius server to override the current no_access profile:

 

config system admin
     edit Radius_Admins
     set accprofile-override enable
end

 

cchiriches_6-1690727405840.png

 

 

  1. Log into FortiGate using the new RADIUS user.

     

    cchiriches_7-1690727405841.png

     

    cchiriches_8-1690727405841.png

     

  2. Troubleshooting steps if it is not working as expected.

     

    If appropriate permissions is not received, run the following commands in the CLI:

     

    diag debug app fnbamd -1
    diag debug app radius -1
    diag debug enable
    diag test authserver radius <server_name> <chap | pap | mschap | mschap2> <username> <password>


    A successful output will appear as follows:

     

    [1932] handle_req-Rcvd auth req 7658224 for radius_admins in Radius_group opt=00014001 prot=11
    [424] __compose_group_list_from_req-Group 'Radius_group', type 1
    [617] fnbamd_pop3_start-radius_admins
    [336] fnbamd_create_radius_socket-Opened radius socket 16
    [336] fnbamd_create_radius_socket-Opened radius socket 17
    [1372] fnbamd_radius_auth_send-Compose RADIUS request
    [1332] fnbamd_rad_dns_cb-10.0.0.1->10.0.0.1
    [1310] __fnbamd_rad_send-Sent radius req to server 'FGT-Radius': fd=16, IP=10.0.0.1(10.0.0.1:1812) code=1 id=113 len=125 user="radius_admins" using PAP
    [313] radius_server_auth-Timer of rad 'FGT-Radius' is added
    [743] auth_tac_plus_start-Didn't find tac_plus servers (0)
    [481] ldap_start-Didn't find ldap servers
    [591] create_auth_session-Total 1 server(s) to try
    [1381] fnbamd_auth_handle_radius_result-Timer of rad 'FGT-Radius' is deleted
    [1772] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
    [354] extract_success_vsas-FORTINET attr, type 6, val Radius_User_Access
    [320] extract_success_vsas-FORTINET attr, type 1, val Firewall_Admins

    [1407] fnbamd_auth_handle_radius_result-->Result for radius svr 'FGT-Radius' 10.0.0.1(1) is 0
    [1331] fnbamd_radius_group_match-Passed group matching
    [1059] find_matched_usr_grps-Group 'Radius_group' passed group matching
    [1060] find_matched_usr_grps-Add matched group 'Radius_group'(10)
    [217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 7658224, len=2061
    [747] destroy_auth_session-delete session 7658224
    [2446] handle_req-Rcvd 7 req
    [308] fnbamd_acct_start_START-Error getting radius server
    [1469] create_acct_session-Error start acct type 7
    [2460] handle_req-Error creating acct session 7

    diag test authserver radius FGT-Radius pap radius_admins P@ssword123

    authenticate 'radius_admins' against 'pap' succeeded, server=primary assigned_rad_session_id=7658226 assigned_admin_profile=Radius_User_Access session_timeout=0 secs idle_timeout=0 secs!
    Group membership(s) - Firewall_Admins

Related articles:

Technical Tip: Fortinet RADIUS attribute.

Technical Tip: FortiGate Radius VSA Dictionary (vendor-specific attributes).