|
Under the 'Global' VDOM, allocate the LAN interface to new VDOM 'North', which is already created.
In North 'VDOM', it is possible to see that there is new allocated interface to specific VDOM.
Then it is necessary to create Radius remote server and User Group under the 'North' VDOM, which will be used for user authentication while logging to FortiGate.
Radius User Group that is binded with FortiAuthenticator, using Radius attribute 'tac'.
In 'Global' VDOM, it is to create a new remote Radius administrator that will have access to FortiGate only over the new network interface which belongs to VDOM ‘North’.
As additional, two-factor authentication is enabled, using FortiToken code for FortiGate access.
Testing FortiGate access from remote workstation that is on same subnet as network interface that is assigned to the VDOM 'North'.
Radius remote authentication is working.
Troubleshooting:
# diagnose debug console timestamp enable
# diagnose debug application fnbamd -1
# diagnose debug enable
----------------------------------------------------------------------------
2022-04-15 16:49:12 [1918] handle_req-Rcvd auth req 408369957 for matanaskovic in Radius User Group opt=00014001 prot=11
2022-04-15 16:49:12 [466] __compose_group_list_from_req-Group 'Radius User Group', type 1
2022-04-15 16:49:12 [616] fnbamd_pop3_start-matanaskovic
2022-04-15 16:49:12 [342] fnbamd_create_radius_socket-Opened radius socket 12
2022-04-15 16:49:12 [342] fnbamd_create_radius_socket-Opened radius socket 13
2022-04-15 16:49:12 [1394] fnbamd_radius_auth_send-Compose RADIUS request
2022-04-15 16:49:12 [1351] fnbamd_rad_dns_cb-10.0.0.1->10.0.0.1
2022-04-15 16:49:12 [1323] __fnbamd_rad_send-Sent radius req to server 'FortiAuthenticator': fd=12, IP=10.0.0.1(10.0.0.1:1812) code=1 id=30 len=126 user="matanaskovic" using PAP
2022-04-15 16:49:12 [319] radius_server_auth-Timer of rad 'FortiAuthenticator' is added
2022-04-15 16:49:12 [755] auth_tac_plus_start-Didn't find tac_plus servers (0)
2022-04-15 16:49:12 [492] ldap_start-Didn't find ldap servers
2022-04-15 16:49:12 [644] create_auth_session-Total 1 server(s) to try
2022-04-15 16:49:12 [1428] fnbamd_auth_handle_radius_result-Timer of rad 'FortiAuthenticator' is deleted
2022-04-15 16:49:12 [1802] fnbamd_radius_auth_validate_pkt-RADIUS resp code 11
2022-04-15 16:49:12 [1453] fnbamd_auth_handle_radius_result-->Result for radius svr 'FortiAuthenticator' 10.0.0.1(1) is 2
2022-04-15 16:49:12 [216] fnbamd_comm_send_result-Sending result 2 (nid 0) for req 408369957, len=3172
2022-04-15 16:49:12 [1289] freeze_auth_session-
2022-04-15 16:49:24 [2311] handle_req-Rcvd chal rsp for req 408369957
2022-04-15 16:49:24 [342] fnbamd_create_radius_socket-Opened radius socket 12
2022-04-15 16:49:24 [342] fnbamd_create_radius_socket-Opened radius socket 13
2022-04-15 16:49:24 [1394] fnbamd_radius_auth_send-Compose RADIUS request
2022-04-15 16:49:24 [1323] __fnbamd_rad_send-Sent radius req to server 'FortiAuthenticator': fd=12, IP=10.0.0.1(10.0.0.1:1812) code=1 id=31 len=129 user="matanaskovic" using PAP
2022-04-15 16:49:24 [1283] send_radius_challenge_rsp-Timer of rad 'FortiAuthenticator' is added
2022-04-15 16:49:24 [1428] fnbamd_auth_handle_radius_result-Timer of rad 'FortiAuthenticator' is deleted
2022-04-15 16:49:24 [1802] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
2022-04-15 16:49:24 [320] extract_success_vsas-FORTINET attr, type 1, val tac
2022-04-15 16:49:24 [1453] fnbamd_auth_handle_radius_result-->Result for radius svr 'FortiAuthenticator' 10.0.0.1(1) is 0
2022-04-15 16:49:24 [1660] fnbam_user_auth_group_match-req id: 408369957, server: FortiAuthenticator, local auth: 0, dn match: 0
2022-04-15 16:49:24 [277] find_matched_usr_grps-Passed group matching
2022-04-15 16:49:24 [216] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 408369957, len=2153
2022-04-15 16:49:24 [800] destroy_auth_session-delete session 408369957
Related article:
https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/719410/create-per-vdom-admin...
|
