|
Setup:
FortiGate -> Internet -> FortiAuthenticator Cloud (FortiTrust Identity).
FortiAuthenticator Cloud will act as the RADIUS server to the FortiGate.
The key requirement would be the use of 'RADSEC'.
Radsec uses port 2083 and requires a TLS handshake.
Note: The CA Certificate that signed the RADIUS server certificate must be imported into the FortiGate.
Configuration on FortiGate:
config user radius
edit "Radsec-FAC cloud"
set server "1q1r45fn.fortitrustid.forticloud.com" <----- FortiAuthenticator Cloud FQDN.
set secret ENC /l1e5KdRxYMsnpxPETEzKGNb0MK37nX
set radius-port 2083 <----- (Radsec port number is 2083).
set transport-protocol tls <----- (TLS is mandatory).
set tls-min-proto-version TLSv1-3
set ca-cert "CA_Cert_1" <----- CA certificate which signed the Server certificate (needs to be imported to FortiGate).
next
end
For simplicity, this article shows an example where a server certificate is created on FortiAuthenticator Cloud itself using the Local CA.
On FortiAuthenticator Cloud:
- Create a Local CA (Note: This is the CA certificate that is required to be imported to the FortiGate).
-
Create the server certificate using the Local CA mentioned above and make sure the CN value for the server certificate that being created is the FQDN of the FortiAuthenticator Cloud CN=1q1r45fn.fortitrustid.forticloud.com
-
Use this Server certificate for RADSEC:
Once the certificate part is sorted, proceed to the RADIUS Client configuration.
Note: This article does not explain the detailed configuration of RADIUS clients and policies as these are similar to the Normal FortiAuthenticator configs and admin documentation can be reviewed.
-
Make sure to enable Service 2083 on FortiTrust-ID. Go to System -> Administration -> Access Rights and enable RADSCEC (TCP/2083).
Note: This communication will be over the internet and ensure that port 2083 is not blocked upstream of FortiGate or ISP.
- Under the RADIUS settings, run a RADIUS connectivity test via the FortiGate GUI.
Commands to verify the TLS handshake in FortiGate:
diagnose debug app fnbamd -1
diagnose debug en
Debug logs from FortiTrustID can be verified through: https://<FTID-FQDN>/debug/radius.
The error above indicates that some certificate issues are present between FortiGate and FortiTrustID.
With a crosscheck certificate configured on RADIUS Services -> Certificates -> RADSEC Server Certificate, select the right server certificate created above.
Debug logs from FortiGate.
1738] handle_req-Rcvd auth req 10535656271876 for test01 in opt=0500000d prot=0 svc=7
[332] __compose_group_list_from_req-Group '', type 1
[507] create_auth_session-Session created for req id 10535656271876
[316] radius_start-eap_local=0
[896] fnbamd_cfg_get_radius_list-
[347] fnbamd_rad_new-1q1r45fn.fortitrustid.forticloud.co
[140] __init_rad_setting-Preping auth servers.
[123] __rad_server_push-Inserted rad server '1q1r45fn.fortitrustid.forticloud.com'.
[357] fnbamd_rad_new-1q1r45fn.fortitrustid.forticloud.co created
[918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
[936] fnbamd_rad_get_auth_server-
[1738] fnbamd_create_ssl_ctx-SSL CTX is created.
[282] __rad_create_ssl_ctx-SSL CTX is created for rad server 1q1r45fn.fortitrustid.forticloud.co.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
[115] fnbamd_dns_resolv_ex-DNS req ipv4 0x27 '1q1r45fn.fortitrustid.forticloud.com'
[125] fnbamd_dns_resolv_ex-DNS req ipv6 0x2027 '1q1r45fn.fortitrustid.forticloud.com'
[137] fnbamd_dns_resolv_ex-DNS maintainer started.
[1113] fnbamd_rad_auth_ctx_init-Start rad conn timer.
[744] __rad_add_job_timer-
[439] fnbamd_cfg_get_pop3_list-
[417] __fnbamd_cfg_get_pop3_list_by_group-
[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
[433] start_remote_auth-Total 1 server(s) to try
[1881] handle_req-r=4
[247] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x27
[309] fnbamd_dns_parse_resp-req 0x27: 154.52.4.227
[1066] __fnbamd_rad_dns_cb-Resolved 1q1r45fn.fortitrustid.forticloud.co:1q1r45fn.fortitrustid.forticloud.com to 154.52.4.227, cur stack size:-1
[1025] __auth_ctx_svr_push-Added addr 154.52.4.227:2083 from rad '1q1r45fn.fortitrustid.forticloud.co'
[853] __fnbamd_rad_get_next_addr-Next available address of rad '1q1r45fn.fortitrustid.forticloud.co': 154.52.4.227:2083.
[1043] __auth_ctx_start-Connection starts 1q1r45fn.fortitrustid.forticloud.co:1q1r45fn.fortitrustid.forticloud.com, addr 154.52.4.227:2083 proto:TCP over TLS -----------------------------> Indicates connection takes place over TLS.
[471] __rad_tcps_open-vfid 0, addr 154.52.4.227, src_ip , ssl_opt 1284
[1159] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 154.52.4.227:2083, source address is null, protocol number is 6, oif
id is 0
[491] __rad_tcps_open-oif=0, intf_sel.mode=0, intf_sel.name=
[504] __rad_tcps_open-Server identity check is enabled.
[520] __rad_tcps_open-Still connecting 154.52.4.227.
[536] __rad_tcps_open-Start rad conn timer.
[868] __rad_conn_start-Socket 9 is created for rad '1q1r45fn.fortitrustid.forticloud.co'.
[247] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x2027
[35] __fnbamd_dns_req_del-DNS req 0x27 (0xf1383b8) is removed. Current total: 2
[47] __fnbamd_dns_req_del-DNS maintainer stopped.
[269] fnbamd_dns_parse_resp-req 0x0: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
[1066] __fnbamd_rad_dns_cb-Resolved 1q1r45fn.fortitrustid.forticloud.co:1q1r45fn.fortitrustid.forticloud.com to ::, cur stack size:0
[1031] __auth_ctx_svr_push-Failed to add addr 1q1r45fn.fortitrustid.forticloud.com from rad '1q1r45fn.fortitrustid.forticloud.co'
[1669] __verify_cb-Cert preverify ok. Depth 1. Subject '/C=MY/L=Dengkil/O=cloudftnt/OU=ftbt/CN=FAC/emailAddress=elang@test.com'
[1669] __verify_cb-Cert preverify ok. Depth 0. Subject '/C=MY/L=Dengkil/O=Fortinet/OU=ee/CN=1q1r45fn.fortitrustid.forticloud.com/emailAddress=elang@test.com
[439] __rad_tcps_connect-tcps_connect(154.52.4.227) is established.
|
