Technical Tip: Configuration of FortiAuthenticator Cloud (Fortitrust Identity) as Radius server with FortiGate

ekrishnan · ‎09-01-2024

Description

This article describes an example configuration that explains the requirement to integrate FortiAuthenticator Cloud as Radius server for FortiGate.

Scope

FortiGate, FortiTrust Identity.

Solution

Setup:

FortiGate---------->Internet----->FortiAuthenticator Cloud (Fortitrust Identity).

FortiAuthenticator Cloud will act as the Radius server to the FortiGate.

The key requirement would be the use of 'RADSEC'.

Radsec uses port 2083 and requires a TLS handshake.

Note: The CA Certificate that signed the Radius server certificate must be imported into the FortiGate.

Configuration on FortiGate:

config user radius

edit "Radsec-FAC cloud"

set server "1q1r45fn.fortitrustid.forticloud.com" --------------------> FortiAuthenticator Cloud FQDN.

set secret ENC /l1e5KdRxYMsnpxPETEzKGNb0MK37nX

set radius-port 2083 ----------------------> (Radsec port number is 2083).

set transport-protocol tls ------------------------------> (TLS is mandatory).

set tls-min-proto-version TLSv1-3

set ca-cert "CA_Cert_1" ------------------> CA certificate which signed the Server certificate (needs to be imported to FortiGate).

For simplicity, this article shows an example where a server certificate is created on FortiAuthenticator Cloud itself using the Local CA.

On FortiAuthenticator Cloud:

Create a Local CA (Note: This is the CA certificate that is required to be imported to the FortiGate).

Create the server certificate using the Local CA mentioned above:
Use this Server certificate for RADSEC:

Once the certificate part is sorted, proceed to Radius Client configuration, (note: this article does not explain the detailed config of Radius clients and policies as these are similar to the Normal FortiAuthenticator configs and admin documentation can be reviewed).

Note: This communication will be over the internet and ensure that port 2083 is not blocked upstream of FortiGate or ISP.

Commands to verify the TLS handshake in FortiGate:

diag de app fnbamd -1

diag de en

Example:

1738] handle_req-Rcvd auth req 10535656271876 for test01 in opt=0500000d prot=0 svc=7
[332] __compose_group_list_from_req-Group '', type 1
[507] create_auth_session-Session created for req id 10535656271876
[316] radius_start-eap_local=0
[896] fnbamd_cfg_get_radius_list-
[347] fnbamd_rad_new-1q1r45fn.fortitrustid.forticloud.co
[140] __init_rad_setting-Preping auth servers.
[123] __rad_server_push-Inserted rad server '1q1r45fn.fortitrustid.forticloud.com'.
[357] fnbamd_rad_new-1q1r45fn.fortitrustid.forticloud.co created
[918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
[936] fnbamd_rad_get_auth_server-
[1738] fnbamd_create_ssl_ctx-SSL CTX is created.
[282] __rad_create_ssl_ctx-SSL CTX is created for rad server 1q1r45fn.fortitrustid.forticloud.co.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
[115] fnbamd_dns_resolv_ex-DNS req ipv4 0x27 '1q1r45fn.fortitrustid.forticloud.com'
[125] fnbamd_dns_resolv_ex-DNS req ipv6 0x2027 '1q1r45fn.fortitrustid.forticloud.com'
[137] fnbamd_dns_resolv_ex-DNS maintainer started.
[1113] fnbamd_rad_auth_ctx_init-Start rad conn timer.
[744] __rad_add_job_timer-
[439] fnbamd_cfg_get_pop3_list-
[417] __fnbamd_cfg_get_pop3_list_by_group-
[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
[433] start_remote_auth-Total 1 server(s) to try
[1881] handle_req-r=4
[247] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x27
[309] fnbamd_dns_parse_resp-req 0x27: 154.52.4.227
[1066] __fnbamd_rad_dns_cb-Resolved 1q1r45fn.fortitrustid.forticloud.co:1q1r45fn.fortitrustid.forticloud.com to 154.52.4.227, cur stack size:-1
[1025] __auth_ctx_svr_push-Added addr 154.52.4.227:2083 from rad '1q1r45fn.fortitrustid.forticloud.co'
[853] __fnbamd_rad_get_next_addr-Next available address of rad '1q1r45fn.fortitrustid.forticloud.co': 154.52.4.227:2083.
[1043] __auth_ctx_start-Connection starts 1q1r45fn.fortitrustid.forticloud.co:1q1r45fn.fortitrustid.forticloud.com, addr 154.52.4.227:2083 proto: TCP over TLS ----------------------------->Indicates connection takes place over TLS
[471] __rad_tcps_open-vfid 0, addr 154.52.4.227, src_ip , ssl_opt 1284
[1159] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 154.52.4.227:2083, source address is null, protocol number is 6, oif
id is 0
[491] __rad_tcps_open-oif=0, intf_sel.mode=0, intf_sel.name=
[504] __rad_tcps_open-Server identity check is enabled.
[520] __rad_tcps_open-Still connecting 154.52.4.227.
[536] __rad_tcps_open-Start rad conn timer.
[868] __rad_conn_start-Socket 9 is created for rad '1q1r45fn.fortitrustid.forticloud.co'.
[247] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x2027
[35] __fnbamd_dns_req_del-DNS req 0x27 (0xf1383b8) is removed. Current total: 2
[47] __fnbamd_dns_req_del-DNS maintainer stopped.
[269] fnbamd_dns_parse_resp-req 0x0: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
[1066] __fnbamd_rad_dns_cb-Resolved 1q1r45fn.fortitrustid.forticloud.co:1q1r45fn.fortitrustid.forticloud.com to ::, cur stack size:0
[1031] __auth_ctx_svr_push-Failed to add addr 1q1r45fn.fortitrustid.forticloud.com from rad '1q1r45fn.fortitrustid.forticloud.co'
[1669] __verify_cb-Cert preverify ok. Depth 1. Subject '/C=MY/L=Dengkil/O=cloudftnt/OU=ftbt/CN=FAC/emailAddress=elang@test.com'
[1669] __verify_cb-Cert preverify ok. Depth 0. Subject '/C=MY/L=Dengkil/O=Fortinet/OU=ee/CN=1q1r45fn.fortitrustid.forticloud.com/emailAddress=elang@test.com
[439] __rad_tcps_connect-tcps_connect(154.52.4.227) is established.