Technical Tip: Radius Authentication with Token fails when wildcard admin is configured

smaruvala · ‎12-30-2024

Description

This article explains the failure in the authentication if an admin logs into the Firewall using a name that can be matched to both the regular admin and the wildcard admin.

Scope

FortiGate v7.4.4 and above.

Solution

In FortiGate, a wildcard admin can be configured which helps the user to allow multiple remote accounts to match one local admin account. For example below is a configuration of the wildcard admin which is authenticated from a remote TACACS server:

config user tacacs+
    edit "tac1"
        set server "10.10.2.40"
set authen-type ascii
    next
end

config user group
edit "tac-group"
set member "tac1"
next
end

edit "fauth-group"
        set remote-auth enable
        set accprofile "Read Only"
        set vdom "root"
        set wildcard enable
        set remote-group "tac-group"
    next

FortiGate also has another regular admin which is authenticated using a remote Radius server.

Below is a sample configuration for the same:

    edit "Fauth"
        set server "10.10.2.40"
        set secret ENC
        set auth-type pap
    next

edit "sample_user"
        set remote-auth enable
        set accprofile "prof_admin"
        set vdom "root"
set remote-group "Fauth"
next

If a user 'sample_user' tries to log in to the FortiGate then the user matches both the wildcard and specific/regular admin account. From v7.4.4 onwards, FortiGate sends the authentication request to both the wildcard and regular admin if the username matches both types of user. If the server that authenticates the wildcard user sends any Authentication reject/failure message then the authentication session will close which will lead to the failure in the authentication.

Below is an example debug output of fnbamd process of the FortiGate. The debug logs show that the FortiGate sends an authentication request packet to the server associated with the Wildcard user and regular user.

When the server associated with the wildcard user sends a failure message the FortiGate closes the authentication session which leads to failure in authentication using the regular admin account as well:

2024-10-30 12:06:56 [333] __compose_group_list_from_req-Group 'Fauth', type 1
2024-10-30 12:06:56 [508] create_auth_session-Session created for req id 9891329933313 <----- FortiGate starts the authentication session to authenticate the user.

2024-10-30 12:06:56 [413] __add_admin_tac_plus_svr-Loaded TAC+ server 'tac1' for admin user 'fauth-group'
2024-10-30 12:06:56 [606] fnbamd_cfg_get_tac_plus_list-Total tac+ servers to try: 1
2024-10-30 12:06:56 [689] fnbamd_cfg_tac_plus_clear_reachability-Clearing tac server reachability tac1:10.60.18.84
2024-10-30 12:06:56 [624] fnbamd_tac_plus_get_auth_server-
2024-10-30 12:06:56 [94] fnbamd_tac_plus_get_next_authen_type-Next authen type ascii
2024-10-30 12:06:56 [894] __auth_ctx_svr_push-Added addr 10.60.18.84:49 from TAC+ 'tac1' <-----FortiGate sends the authentication request messages to Server associated with the Wildcard user.

2024-10-30 12:06:56 [713] __fnbamd_tac_plus_get_next_addr-Next available address of TAC+ 'tac1': 10.60.18.84:49.
2024-10-30 12:06:56 [912] __auth_ctx_start-Connection starts tac1:10.60.18.84, addr 10.60.18.84:49 proto: TCP
2024-10-30 12:06:56 [300] __tac_plus_tcps_open-vfid 0, addr 10.60.18.84, src_ip , use_ha_relay 0
2024-10-30 12:06:56 [1171] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 10.60.18.84:49, source address is null, protocol number is 6, oif id is 0
2024-10-30 12:06:56 [338] __tac_plus_tcps_open-oif=0, intf_sel.mode=0, intf_sel.name=
2024-10-30 12:06:56 [373] __tac_plus_tcps_open-Still connecting 10.60.18.84.
2024-10-30 12:06:56 [391] __tac_plus_tcps_open-Start TAC+ conn timer.
2024-10-30 12:06:56 [728] __tac_plus_start_conn-Socket 11 is created for TAC+ 'tac1'.
2024-10-30 12:06:56 [598] __tac_plus_add_job_timer-

2024-10-30 12:06:56 [456] fnbamd_rad_get-vfid=0, name='Radius_FAC'
2024-10-30 12:06:56 [805] __rad_auth_ctx_insert-Loaded RADIUS server 'Radius_FAC'
2024-10-30 12:06:56 [663] __add_admin_rad_svr-Loaded RADIUS server 'Radius_FAC' for admin user 'sample_user' <----- FortiGate tries to authenticate the user using the Regular user account.

2024-10-30 12:06:56 [818] __rad_auth_ctx_insert_all_usergroup-
2024-10-30 12:06:56 [918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
2024-10-30 12:06:56 [1025] fnbamd_cfg_radius_clear_reachability-Clearing RAD server reachability Radius_FAC:10.60.18.84
2024-10-30 12:06:56 [936] fnbamd_rad_get_auth_server-
2024-10-30 12:06:56 [1172] fnbamd_rad_auth_ctx_init-User ha_relay? 0.
2024-10-30 12:06:56 [295] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
2024-10-30 12:06:56 [1107] __auth_ctx_svr_push-Added addr 10.60.18.84:1812 from rad 'Radius_FAC'
2024-10-30 12:06:56 [930] __fnbamd_rad_get_next_addr-Next available address of rad 'Radius_FAC': 10.60.18.84:1812.
2024-10-30 12:06:56 [1125] __auth_ctx_start-Connection starts Radius_FAC:10.60.18.84, addr 10.60.18.84:1812 proto: UDP
2024-10-30 12:06:56 [280] __rad_udp_open-Opened radius socket 12, sa_family 2
2024-10-30 12:06:56 [945] __rad_conn_start-Socket 12 is created for rad 'Radius_FAC'.

2024-10-30 12:06:57 [581] __group_match-Check if tac1 is a group member
2024-10-30 12:06:57 [209] find_matched_usr_grps-Failed group matching
2024-10-30 12:06:57 [239] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 9891329933313, len=2592
2024-10-30 12:06:57 [258] fnbamd_comm_send_result-Failed send reply (-1, errno 111)
2024-10-30 12:06:57 [600] destroy_auth_session-delete session 9891329933313 <----- As FortiGate receives an authentication failure message it deletes the Authentication session.

The issue will be fixed as part of issue ID 1093542.
The workaround for the issue is to delete the wildcard admin if it is not used or ensure the server that authenticates the wildcard server does not send an authentication failure/reject response.