FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ganeshcs
Staff
Staff
Description

 

This article will be able to guide to set up a FortiGate with Radius using Active Directory (AD) authentication. Here the Radius server configured is the Microsoft NPS server.

 

Scope

 

- FortiGate to use the Microsoft NPS as a Radius server and to reference the AD for authentication.
- Microsoft NPS to be joined to the AD Domain for the AD Authentication.

 

Solution

 

Below are the screenshots and explanations on how to configure NPS and also the FortiGate RADIUS Attributes.

 

ganeshcs_0-1653481009838.png

 

1) Add FortiGate to 'RADIUS Clients' in MS NPS configuration (select 'RADIUS Clients' and select 'New').
2) Enter FortiGate RADIUS client details:
- Make sure 'Enable this RADIUS client' box is checked.
- Enter 'Friendly name', IP address and secret (same secret as it was configured on FortiGate).
- The rest can be default.

 

ganeshcs_1-1653481052923.png

 

3) Create 'Connection Request Policy' for FortiGate(select 'Connection Request Policies' and select 'New').
4) Specify 'Policy name' and select next.

 

ganeshcs_2-1653481078631.png

 

ganeshcs_3-1653481130910.png

 

5) Under 'Specify Conditions' select 'Add…' and select 'Client IPv4 Address' and specify the IP address from FortiGate.
- When finished confirm the settings with 'OK' and 'Add…'.
- Select 'Next' when done and rest can be default. Continue selecting 'Next' and 'Finish' at the last step.

 

ganeshcs_4-1653481152910.png

 

6) Create a 'Network Policy' for access requests coming from FortiGate (select 'Network Policies' and select 'New'). NPS -> Policies -> Connection Request Policy.
7) Specify 'Policy name' and select next.

 

ganeshcs_5-1653481227881.png

 

ganeshcs_6-1653481309607.png

 

Adding Network Policy with AD authentication.
------------------------------------------------

 

8) Under 'Specify Conditions' select 'Add…' and select 'Windows Groups' select 'Add Groups…' and enter AD group name.
- When finished confirm the settings with 'OK' and 'Add…'.
- Select 'Next' when done.

 

ganeshcs_7-1653481332130.png

 

9) Specify access permission and select 'Next' when done.

 

ganeshcs_8-1653481358114.png

 

10) Configure authentication methods.
- Select 'OK' and 'Next' when done and rest can be default until the below screen to configure Radius Attributes Under Configure Settings.

 

The next steps are to configure the Vendor Specifics for the Radius Attributes
- Select Vendor Specific and then 'Add'.

 

ganeshcs_10-1653481415303.png

 

ganeshcs_11-1653481433428.png

 

 

ganeshcs_12-1653481452906.png

 

ganeshcs_13-1653481470048.png

 

11) Configure Vendor Specific Attribute as shown above, Vendor=12356, attribute=1 as a string with value 'DomainAdmins'.

 

ganeshcs_14-1653481506154.png

 

 

ganeshcs_15-1653481520679.png

 

12) Select 'Finish' to complete the NPS configuration.

 

ganeshcs_16-1653481549809.png

 

 

ganeshcs_17-1653481569181.png

 

From FortiGate.


13) Configure RADIUS server connection from FortiGate -> User & Authentication -> RADIUS Servers (Use the same information during step 2 of the NPS configuration above):

- Test Connectivity.
- Test User credentials with the AD group credentials.

 

Results.


Tested using an AD authenticated user as below:

 

ganeshcs_18-1653481603948.png

 

 

ganeshcs_19-1653481615015.png