- Configure the FortiGate with the Radius server.
Go to User & Device -> Authentication -> Radius Server.
Name: FGT-Radius Primary Server IP/Name: 10.10.10.10 Primary Server Secret: radius_secret
Or run the equivalent in the CLI:
config user radius edit "FGT-Radius" set server 10.10.10.10 set secret radius_secret next end
Note.
Can optionally set a source IP address for the FortiGate to use when contacting the Radius server by using the following commands:
config user radius edit "FGT-Radius" set source-ip 192.168.1.99 next end
-
Configure the RADIUS server to send the appropriate vendor-specific attributes (VSAs).
Verify that the RADIUS server is configured to send down the appropriate vendor-specific attributes (VSA).
In order to send an appropriate group membership and access profile VSA 1 and VSA 6 will need to be set.
VENDOR fortinet 12356 ATTRIBUTE Fortinet-Group-Name 1 string ATTRIBUTE Fortinet-Access-Profile 6 string
In this example:
Attribute 1 is set to Firewall_Admins. Attribute 6 is set to Radius_User_Access.
A list of all of Fortinet's VSA is available here.
-
Create a user group on FortiGate.
Go to User & Device -> User -> User group and create a Firewall group.
Create New Remote Server and add the Radius Server.
In the group's field, include the string that was configured as Attribute 1 on the RADIUS server. In this example, the string used was 'Firewall_Admins'. Name: Radius_group Remote group: Remote Server: FGT-Radius Groups: Firewall_Admins
-
Create two admin profiles.
Go to System -> Admin -> Admin Profiles and create 2 profiles: First profile.
Profile Name: no_access Access Control: None
Second profile.
Profile Name: Radius_User_Access (note that the name of the profile needs to match which is specified for VSA 6).
Access Control: Specify the desired permissions.
-
Create an admin user.
-
Go to System -> Admin -> Admin -> Administrators.
-
Create a new admin with the type Remote.
-
Select the User Group.
-
Select type wildcard.
-
Select the no_access profile .
Then in the CLI run the following in order to allow the profile passed down by the radius server to override the current no_access profile:
config system admin edit Radius_Admins set accprofile-override enable end
- Log into FortiGate using the new RADIUS user.
- Troubleshooting steps if it is not working as expected.
If appropriate permissions is not received, run the following commands in the CLI:
diag debug app fnbamd -1 diag debug app radius -1 diag debug enable diag test authserver radius <server_name> <chap | pap | mschap | mschap2> <username> <password>
A successful output will appear as follows:
[1932] handle_req-Rcvd auth req 7658224 for radius_admins in Radius_group opt=00014001 prot=11 [424] __compose_group_list_from_req-Group 'Radius_group', type 1 [617] fnbamd_pop3_start-radius_admins [336] fnbamd_create_radius_socket-Opened radius socket 16 [336] fnbamd_create_radius_socket-Opened radius socket 17 [1372] fnbamd_radius_auth_send-Compose RADIUS request [1332] fnbamd_rad_dns_cb-10.0.0.1->10.0.0.1 [1310] __fnbamd_rad_send-Sent radius req to server 'FGT-Radius': fd=16, IP=10.0.0.1(10.0.0.1:1812) code=1 id=113 len=125 user="radius_admins" using PAP [313] radius_server_auth-Timer of rad 'FGT-Radius' is added [743] auth_tac_plus_start-Didn't find tac_plus servers (0) [481] ldap_start-Didn't find ldap servers [591] create_auth_session-Total 1 server(s) to try [1381] fnbamd_auth_handle_radius_result-Timer of rad 'FGT-Radius' is deleted [1772] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2 [354] extract_success_vsas-FORTINET attr, type 6, val Radius_User_Access [320] extract_success_vsas-FORTINET attr, type 1, val Firewall_Admins [1407] fnbamd_auth_handle_radius_result-->Result for radius svr 'FGT-Radius' 10.0.0.1(1) is 0 [1331] fnbamd_radius_group_match-Passed group matching [1059] find_matched_usr_grps-Group 'Radius_group' passed group matching [1060] find_matched_usr_grps-Add matched group 'Radius_group'(10) [217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 7658224, len=2061 [747] destroy_auth_session-delete session 7658224 [2446] handle_req-Rcvd 7 req [308] fnbamd_acct_start_START-Error getting radius server [1469] create_acct_session-Error start acct type 7 [2460] handle_req-Error creating acct session 7
diag test authserver radius FGT-Radius pap radius_admins P@ssword123
authenticate 'radius_admins' against 'pap' succeeded, server=primary assigned_rad_session_id=7658226 assigned_admin_profile=Radius_User_Access session_timeout=0 secs idle_timeout=0 secs! Group membership(s) - Firewall_Admins
Related articles:
Technical Tip: Fortinet RADIUS attribute.
Technical Tip: FortiGate Radius VSA Dictionary (vendor-specific attributes).
|