|Description||This article describes how to explain the behaviour of RADIUS request when fortiGate-6000 and 7000 are using HA reserved interface for admin authentication.|
|Scope||For FortiGate-6000 and FortiGate-7000 with version 6.2.4 and higher.|
Use HA reserved interface along with RADIUS authentication on fortiGate-6000 and 7000.
HA reserved interface allow administrators to connect to each member of a cluster individually.
In this kind of setup the SLBC management interface 'slbc-mgmt-intf' defined in config load-balance setting will be used as source IP to reach the RADIUS server.
The 'mgmt-vdom' should have an IP route to reach the RADIUS Server.
The IP address of the' slbc-mgmt-intf' should be the only IP client known by the RADIUS server.
Master chassis will contact the RADIUS server directly.
Slave chassis will send RADIUS traffic to master chassis via internal base network using HA link.
Configuration example for FortiGate-7000:
# config user radius'global'.
# config system admin
# config system interfacechassis 2.
# config system haFor FortiGates-6000, it is the same configuration but instead of using a VLAN interface on the MGMT interface, it is necessary to use MGMT1, MGMT2 or MGMT3 as reserved ha interface.
Packet flow during RADIUS challenge for an admin authentication.
chassis-1 [FIM01] (mgmt-vdom) # diagnose sniffer packet any 'port 1812' 4 0 lRADIUS login on MASTER.
Packet is directly sourced by SLBC interface MGMT.
[FIM01] 2021-09-24 15:44:46.793888 mgmt out 10.0.0.100.2555 -> 10.2.2.2.1812: udp 114
[FIM01] 2021-09-24 15:44:46.795105 1-mgmt1 in 10.2.2.2.1812 -> 10.0.0.100.2555: udp 71RADIUS login on SLAVE.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.