Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ganeshcs
Staff
Staff

Created on ‎05-25-2022 05:46 AM Edited on ‎09-26-2024 04:15 AM By Community Manager

Article Id 213024

Technical Tip: Configuring FortiGate and Microsoft NPS (Radius with AD authentication)

Description

 

This article will be able to guide to set up a FortiGate with Radius using Active Directory (AD) authentication. Here the Radius server configured is the Microsoft NPS server.

 

Scope

 

  • FortiGate to use the Microsoft NPS as a Radius server and to reference the AD for authentication.
  • Microsoft NPS to be joined to the AD Domain for the AD Authentication.

 

Solution

 

Below are the screenshots and explanations on how to configure NPS and also the FortiGate RADIUS Attributes.

 

ganeshcs_0-1653481009838.png

 

  1. Add FortiGate to 'RADIUS Clients' in MS NPS configuration (select 'RADIUS Clients' and select 'New').
  2. Enter FortiGate RADIUS client details:
  • Make sure 'Enable this RADIUS client' box is checked.
  • Enter 'Friendly name', IP address and secret (same secret as it was configured on FortiGate).
  • The rest can be default.

 

ganeshcs_1-1653481052923.png

 

  1. Create 'Connection Request Policy' for FortiGate(select 'Connection Request Policies' and select 'New').
  2. Specify 'Policy name' and select next.

 

ganeshcs_2-1653481078631.png

 

ganeshcs_3-1653481130910.png

 

  1. Under 'Specify Conditions' select 'Add…' and select 'Client IPv4 Address' and specify the IP address from FortiGate.
  • When finished confirm the settings with 'OK' and 'Add…'.
  • Select 'Next' when done and the rest can be the default. Continue selecting 'Next' and 'Finish' at the last step.

 

ganeshcs_4-1653481152910.png

 

  1. Create a 'Network Policy' for access requests coming from FortiGate (select 'Network Policies' and select 'New'). NPS -> Policies -> Connection Request Policy.
  2. Specify 'Policy name' and select next.

 

ganeshcs_5-1653481227881.png

 

ganeshcs_6-1653481309607.png

 

Adding Network Policy with AD authentication.

 

  1. Under 'Specify Conditions' select 'Add…' and select 'Windows Groups' select 'Add Groups…' and enter AD group name.
  •  When finished confirm the settings with 'OK' and 'Add…'.
  • Select 'Next' when done.

 

ganeshcs_7-1653481332130.png

 

  1. Specify access permission and select 'Next' when done.

 

ganeshcs_8-1653481358114.png

 

  1. Configure authentication methods.
  • Select 'OK' and 'Next' when done and rest can be default until the below screen to configure Radius Attributes Under Configure Settings.

 

Note:

To use RADIUS authentication for Wifi SSID, add 'PEAP' in the EAP Types box since SSID deployed by Fortinet only supports PEAP.

 

The next steps are to configure the Vendor Specifics for the Radius Attributes

  • Select Vendor Specific and then 'Add'.

 

ganeshcs_10-1653481415303.png

 

ganeshcs_11-1653481433428.png

 

ganeshcs_12-1653481452906.png

 

Configure-VSA.png

 

 

  1. Configure Vendor Specific Attribute as shown above, 'Vendor=12356', 'attribute=1' as a string with value 'RadiusGroup'.
    There could be whatever value. However, specified radius group name in the local object of FortiGate should match the group name received in VSA (Fortinet-Group-Name), otherwise, authentication fails.

 

VSA_added.png

 

ganeshcs_15-1653481520679.png

 

  1. Select 'Finish' to complete the NPS configuration.


    From the FortiGate side:

    1. Configure RADIUS server connection from FortiGate -> User & Authentication -> RADIUS Servers (Use the same information during step 2 of the NPS configuration above):
    • Test Connectivity.
    • Test User credentials with the AD group credentials.

 

ganeshcs_16-1653481549809.png

 

FGT-GUI-TestCredentials.png

 

Additional Tips:

There could be a user who is a member of multiple domain groups, and FortiGate needs multiple VSA group-name values. As we noticed above, NPS acting as the radius server should provide such information. To achieve it, NPS should be configured as follows:

 

  • Radius Policy Conditions: each group should be listed separately:

 

Multiple-RadiusVSAs.png

 

  • Settings: add one VSA, and specify multiple attributes. In the example below, there are three group-names specified:

 

Multiple-RadiusVSA_Edit_List.png

 

Multiple-RadiusVSA_Added_list.png

 

  • The user account has to be a member of all listed groups in the 'Conditions' because NPS uses the 'AND' operation. If the user is not a member of at least one group, authentication fails. More about NPS settings with multiple VSA values is in this link.

 

Test result when the testing user 'aduser1' is a member of all three groups:

 MultipleVSA-test_successfull.png

 

Test result when the testing user account 'aduser1' is not a member of one of the groups:

 

MultipleVSA-test_failed.png

 

The same tests executed on the CLI (recommended option to test):

 

CLITEST.png

Labels:
58214
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.