Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wdeloraine_FTNT
Staff
Staff

Created on ‎08-11-2022 04:47 AM

Article Id 220565

Technical Tip: Radius admin authentication with HA reserved interface on chassis 6000 and 7000

Description This article describes how to explain the behaviour of RADIUS request when fortiGate-6000 and 7000 are using HA reserved interface for admin authentication.
Scope For FortiGate-6000 and FortiGate-7000 with version 6.2.4 and higher.
Solution

FortiGate-7000 diagram.

kb_20736_1.png

 

Use HA reserved interface along with RADIUS authentication on fortiGate-6000 and 7000.
 
HA reserved interface allow administrators to connect to each member of a cluster individually.

In this kind of setup the SLBC management interface 'slbc-mgmt-intf' defined in config load-balance setting will be used as source IP to reach the RADIUS server.
The 'mgmt-vdom' should have an IP route to reach the RADIUS Server.

The IP address of the' slbc-mgmt-intf' should be the only IP client known by the RADIUS server.

Master chassis will contact the RADIUS server directly.
Slave chassis will send RADIUS traffic to master chassis via internal base network using HA link.

Configuration example for FortiGate-7000:

'mgmt-vdom'.
# config user radius
    edit "freeradius"
        set server "10.2.2.2"
        set secret ENC secret
    next
end
# config user group
    edit "radius"
        set member "freeradius"
    next
end
'global'.
# config system admin
    edit "*"
        set remote-auth enable
        set accprofile "super_admin"
        set vdom "mgmt-vdom"
        set wildcard enable
        set remote-group "radius"
    next
end
# config system interface
    edit "mgmt"
        set vdom "mgmt-vdom"
        set ip 10.0.0.100 255.255.255.0
    next
end
# config load-balance setting
    set slbc-mgmt-intf "mgmt"
end

chassis 1.
# config system interface
    edit "mgmt.3"
        set ip 10.1.1.101 255.255.255.0
        set allowaccess ping https ssh snmp http
        set interface "mgmt"
        set vlanid 3
    next
end

# config system ha
    set group-id 12
    set group-name "fortinet"
    set mode a-p
    set password ENC ecnryptedpassword
    set hbdev "1-M1" 50 "2-M1" 50
    set hbdev-vlan-id 2121
    set ha-mgmt-status enable
    # config ha-mgmt-interfaces
        edit 1
            set interface "mgmt.3"
            set gateway 10.1.1.1
        next
    end
    set override disable
    set priority 200
end
chassis 2.
# config system ha
    set group-id 12
    set group-name "fortinet"
    set mode a-p
    set password ENC ecnryptedpassword
    set hbdev "1-M1" 50 "2-M1" 50
    set chassis-id 2
    set hbdev-vlan-id 2121
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "mgmt.3"
            set gateway 10.1.1.1
        next
    end
    set override disable
    set priority 100
end

# config system interface
    edit "mgmt.3"
        set ip 10.1.1.102 255.255.255.0
        set allowaccess ping https ssh snmp http
        set role lan
        set snmp-index 145
        set interface "mgmt"
        set vlanid 3
    next
end
For FortiGates-6000, it is the same configuration but instead of using a VLAN interface on the MGMT interface, it is necessary to use MGMT1, MGMT2 or MGMT3 as reserved ha interface.

Packet flow during RADIUS challenge for an admin authentication.
chassis-1 [FIM01] (mgmt-vdom) # diagnose sniffer packet any 'port 1812' 4 0 l

interfaces=[any]
filters=[port 1812]
RADIUS login on MASTER.

Packet is directly sourced by SLBC interface MGMT.
 
[FIM01] 2021-09-24 15:44:46.793888 mgmt out 10.0.0.100.2555 -> 10.2.2.2.1812: udp 114
[FIM01] 2021-09-24 15:44:46.793891 1-mgmt1 out 10.0.0.100.2555 -> 10.2.2.2.1812: udp 114
[FIM01] 2021-09-24 15:44:46.793893 eth0 out 10.0.0.100.2555 -> 10.2.2.2.1812: udp 114
[FIM01] 2021-09-24 15:44:46.795105 1-mgmt1 in 10.2.2.2.1812 -> 10.0.0.100.2555: udp 71
[FIM01] 2021-09-24 15:44:46.795106 mgmt in 10.2.2.2.1812 -> 10.0.0.100.2555: udp 71
RADIUS login on SLAVE.
 
[FIM01] 2021-09-24 15:43:49.921728 havdlink1 in 10.101.10.101.20085 -> 10.2.2.2.1812: udp 114
Source NAT.
[FIM01] 2021-09-24 15:43:49.921739 mgmt out 10.0.0.100.20085 -> 10.2.2.2.1812: udp 114
[FIM01] 2021-09-24 15:43:49.921740 1-mgmt1 out 10.0.0.100.20085 -> 10.2.2.2.1812: udp 114
[FIM01] 2021-09-24 15:43:49.921742 eth0 out 10.0.0.100.20085 -> 10.2.2.2.1812: udp 114

[FIM01] 2021-09-24 15:43:49.923642 1-mgmt1 in 10.2.2.2.1812 -> 10.0.0.100.20085: udp 71
[FIM01] 2021-09-24 15:43:49.923643 mgmt in 10.2.2.2.1812 -> 10.0.0.100.20085: udp 71
[FIM01] 2021-09-24 15:43:49.923651 havdlink1 out 10.2.2.2.1812 -> 10.101.10.101.20085: udp 71
[FIM01] 2021-09-24 15:43:49.923660 eth0 out 10.2.2.2.1812 -> 10.101.10.101.20085: udp 71

Packets on slave unit are sourced by elbc-base-mgmt interface of FIM1 (internal chassis network).
 
Then it goes to master device via HA interface (havdlink1).
Master unit will source NAT the traffic with the SLBC MGMT interface to reach the RADIUS server.
 
The reply from RADIUS server uses the same path.
chassis-2 [FIM01] (root) # diagnose ip address list | grep "SN\|10.101.10.101"
Current slot: 1  Module SN: FIM20E3E17000207
IP=10.101.10.101->10.101.10.101/255.255.255.0 index=83 devname=elbc-base-mgmt

 

728
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.