Description
Administrators can configure different access profiles to different radius groups.
This article describes how to provide different admin access profile authentication for radius groups.
Scope
FortiGate.
Solution
Administrator Profile configuration.
Radius configuration on FortiGate.
Radius User Group:
hrgrp for super admin profile.
Salesgrp for read-only profile (radius_user_access).
Wildcard administrator users.
Radius configuration on Windows 2016:
Client configuration.
First NPS policy for Read_only profile Group:
Here, are the attributes for the group name.
Configuring attributes for VDOM.
Configuring attributes for Admin profile.
Configure another NPS policy for other group with ‘super_admin’ profile and configure the correct attributes.
Debug the radius authentication using the below commands:
Diag debug reset
Diag debug disable
Diag debug appl fn -1
Diag debug enable
Result:
When logging with ‘hr1’ user.
diagnose test authserver radius win-radius pap hr1 p@ssw0rd
[2307] handle_req-Rcvd auth req 1088724198 for hr1 in win-radius opt=0000001d prot=0
[409] __compose_group_list_from_req-Group 'win-radius'
[615] fnbamd_pop3_start-hr1
[550] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'win-radius'
[305] fnbamd_create_radius_socket-Opened radius socket 15
[305] fnbamd_create_radius_socket-Opened radius socket 16
[1342] fnbamd_radius_auth_send-Compose RADIUS request
[1309] fnbamd_rad_dns_cb-10.40.9.78->10.40.9.78
[1284] __fnbamd_rad_send-Sent radius req to server 'win-radius': fd=15, IP=10.40.9.78(10.40.9.78:1812) code=1 id=12 len=88 user="hr1" using PAP
[282] radius_server_auth-Timer of rad 'win-radius' is added
[568] create_auth_session-Total 1 server(s) to try
[2433] fnbamd_auth_handle_radius_result-Timer of rad 'win-radius' is deleted
[1736] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[309] extract_success_vsas-FORTINET attr, type 1, val hrgrp
[343] extract_success_vsas-FORTINET attr, type 6, val super_admin
[2459] fnbamd_auth_handle_radius_result-->Result for radius svr 'win-radius' 10.40.9.78(1) is 0
[2389] fnbamd_radius_group_match-Skipping group matching
[1002] find_matched_usr_grps-Skipped group matching
[2887] fnbamd_fas_send_push-username:hr1, vdom:root, usertype:0, tfc=0, auth_type:2
[181] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 1088724198When logging with ‘sales’ with read only profile:
# [2307] handle_req-Rcvd auth req 1088724192 for sales in salesgrp opt=00014001 prot=11
[409] __compose_group_list_from_req-Group 'salesgrp'
[615] fnbamd_pop3_start-sales
[305] fnbamd_create_radius_socket-Opened radius socket 15
[305] fnbamd_create_radius_socket-Opened radius socket 16
[1342] fnbamd_radius_auth_send-Compose RADIUS request
[1309] fnbamd_rad_dns_cb-10.40.9.78->10.40.9.78
[1284] __fnbamd_rad_send-Sent radius req to server 'win-radius': fd=15, IP=10.40.9.78(10.40.9.78:1812) code=1 id=6 len=97 user="sales" using PAP
[282] radius_server_auth-Timer of rad 'win-radius' is added
[719] auth_tac_plus_start-Didn't find tac_plus servers (0)
[440] ldap_start-Didn't find ldap servers (0)
[568] create_auth_session-Total 1 server(s) to try
[2433] fnbamd_auth_handle_radius_result-Timer of rad 'win-radius' is deleted
[1736] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[309] extract_success_vsas-FORTINET attr, type 1, val salesgrp
[343] extract_success_vsas-FORTINET attr, type 6, val radius_user_access
[2459] fnbamd_auth_handle_radius_result-->Result for radius svr 'win-radius' 10.40.9.78(1) is 0
[2383] fnbamd_radius_group_match-Passed group matching
[1047] find_matched_usr_grps-Group 'salesgrp' passed group matching
[1048] find_matched_usr_grps-Add matched group 'salesgrp'(5)
[2887] fnbamd_fas_send_push-username:sales, vdom:root, usertype:0, tfc=0, auth_type:2
Related article:
Technical Note: FortiGate admin authentication using radius groups fails in GUI