FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lgupta
Staff
Staff
Article Id 371029
Description This article describes how the 'Class' Attribute of type String, defined in Network Policy on Windows NPS Server can be used to match the user-group(s) in the FortiGate.
Scope FortiOS.
Solution

Steps on NPS Server:

Define the 'Class' Attribute on the Network Policies in Windows NPS Server.
Reference picture:

 

radius-nps.png

 

Steps on FortiGate Firewall:

Step 1: Enable class attribute override under Radius configuration using CLI.

 

config user radius

    edit "radius-windows-2019"

        set server "192.168.1.200"
        set secret ENC WY0cw6l7yzf1numn1WIEv6H4aaMXmySak+NfqVrxD0qTx1WijuQZJ
        set group-override-attr-type class <-------

    next

end

 

Note: It is important to enable override, otherwise class attribute is ignored and FortiGate will not show Group Membership(s) in Step 2.

 

Step 2: Using FortiGate CLI, confirm if FortiGate is receiving Group Membership(s) from the NPS server.

 

lab # diagnose test authserver radius radius-windows-2019 pap user1 password

 

authenticate 'user1' against 'pap' succeeded, server=primary assigned_rad_session_id=17158578049066 session_timeout=0 secs idle_timeout=0 secs!
Group membership(s) - group-1

 

Step 3: As confirmed in Step 2 FortiGate is receiving the 'group-1' Group Membership(s), next step is to define the user-group for reference in SSL VPN (in this example).

 

config user group

    edit "usergroup1"

        set member "radius-windows-2019"

            config match

                edit 1

                    set server-name "radius-windows-2019"
                    set group-name "group-1" <-----------

                next

            end

    next

end

 

Step 4: For testing, configure SSL VPN and use this 'usergroup1' in the SSL VPN Authentication Portal and the Firewall Policy.

 

Interesting fnbamd debug for class attribute verification:

 

lab # diagnose debug application fnbamd -1

lab # diag deb en
.
truncated
.

[431] __rad_udp_recv-Recved 99 bytes. Buf sz 8192
[1216] fnbamd_rad_validate_pkt-RADIUS resp code 2
[912] __rad_rxtx-
[1286] fnbamd_rad_process-Result from radius svr 'radius-windows-2019' is 0, req 17652505976835
[487] fnbamd_rad_get_vsas-Override group attr, type 25, val group-1 <<------- received group membership from Radius Server
[1485] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, State_Len: 0
[627] fnbam_user_auth_group_match-req id: 17652505976835, server: radius-windows-2019, local auth: 0, dn match: 0
[581] __group_match-Check if radius-windows-2019 is a group member
[587] __group_match-Group 'usergroup1' passed group matching
[590] __group_match-Add matched group 'usergroup1'(2) <<------- Group matching completed.
[206] find_matched_usr_grps-Passed group matching
[909] update_auth_token_session-config does not require 2fa
[239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 17652505976835, len=2663
.
truncated
.


Once connected successfully to the SSL VPN, confirm the authentication details using the CLI:

 

lab # diagnose firewall auth list

 

10.212.134.200, user1 <------ user-name.
type: fw, id: 0, duration: 36, idled: 9
expire: 28790, allow-idle: 28799
flag(80): sslvpn
server: radius-windows-2019 <------ RADIUS server.
packets: in 625 out 355, bytes: in 723124 out 30737
group_id: 2
group_name: usergroup1 <------ user-group name.

----- 1 listed, 0 filtered ------

 

Alternatively, Vendor Specific Attribute(s) can be used for Group Matching: Restricting RADIUS user groups to match selective users on the RADIUS server.

 

Related articles:

Technical Tip: Authentication, Remote server group match of user group configuration with RADIUS ser...

Troubleshooting Tip: How to test FortiGate's radius user authentication to the RADIUS server