FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
matanaskovic
Staff
Staff
Description

This article describes that a per-VDOM administrator can only access the FortiGate through a network interface that is assigned to the VDOM which are assigned to.

Scope FortiGate v7.2.x
Solution

Under the 'Global' VDOM, allocate the LAN interface to new VDOM 'North', which is already created.

 

matanaskovic_0-1651006319708.png

 

In North 'VDOM', it is possible to see that there is new allocated interface to specific VDOM.

 

matanaskovic_1-1651006360602.png

 

Then it is necessary to create Radius remote server and User Group under the 'North' VDOM, which will be used for user authentication while logging to FortiGate.

 

matanaskovic_2-1651006422436.png

 

Radius User Group that is binded with FortiAuthenticator, using Radius attribute 'tac'.

  

matanaskovic_3-1651006439923.png

 

In 'Global' VDOM, it is to create a new remote Radius administrator that will have access to FortiGate only over the new network interface which belongs to VDOM ‘North’.

 

matanaskovic_4-1651006609752.png

 

As additional, two-factor authentication is enabled, using FortiToken code for FortiGate access.

 

matanaskovic_5-1651006647699.png

 

Testing FortiGate access from remote workstation that is on same subnet as network interface that is assigned to the VDOM 'North'.

 

matanaskovic_6-1651006703261.png

 

Radius remote authentication is working.

 

matanaskovic_7-1651006771782.png

 

Troubleshooting:

 

# diagnose debug console timestamp enable
# diagnose debug application fnbamd -1
# diagnose debug enable

----------------------------------------------------------------------------

2022-04-15 16:49:12 [1918] handle_req-Rcvd auth req 408369957 for matanaskovic in Radius User Group opt=00014001 prot=11
2022-04-15 16:49:12 [466] __compose_group_list_from_req-Group 'Radius User Group', type 1
2022-04-15 16:49:12 [616] fnbamd_pop3_start-matanaskovic
2022-04-15 16:49:12 [342] fnbamd_create_radius_socket-Opened radius socket 12
2022-04-15 16:49:12 [342] fnbamd_create_radius_socket-Opened radius socket 13
2022-04-15 16:49:12 [1394] fnbamd_radius_auth_send-Compose RADIUS request
2022-04-15 16:49:12 [1351] fnbamd_rad_dns_cb-10.0.0.1->10.0.0.1
2022-04-15 16:49:12 [1323] __fnbamd_rad_send-Sent radius req to server 'FortiAuthenticator': fd=12, IP=10.0.0.1(10.0.0.1:1812) code=1 id=30 len=126 user="matanaskovic" using PAP
2022-04-15 16:49:12 [319] radius_server_auth-Timer of rad 'FortiAuthenticator' is added
2022-04-15 16:49:12 [755] auth_tac_plus_start-Didn't find tac_plus servers (0)
2022-04-15 16:49:12 [492] ldap_start-Didn't find ldap servers
2022-04-15 16:49:12 [644] create_auth_session-Total 1 server(s) to try
2022-04-15 16:49:12 [1428] fnbamd_auth_handle_radius_result-Timer of rad 'FortiAuthenticator' is deleted
2022-04-15 16:49:12 [1802] fnbamd_radius_auth_validate_pkt-RADIUS resp code 11
2022-04-15 16:49:12 [1453] fnbamd_auth_handle_radius_result-->Result for radius svr 'FortiAuthenticator' 10.0.0.1(1) is 2
2022-04-15 16:49:12 [216] fnbamd_comm_send_result-Sending result 2 (nid 0) for req 408369957, len=3172
2022-04-15 16:49:12 [1289] freeze_auth_session-
2022-04-15 16:49:24 [2311] handle_req-Rcvd chal rsp for req 408369957
2022-04-15 16:49:24 [342] fnbamd_create_radius_socket-Opened radius socket 12
2022-04-15 16:49:24 [342] fnbamd_create_radius_socket-Opened radius socket 13
2022-04-15 16:49:24 [1394] fnbamd_radius_auth_send-Compose RADIUS request
2022-04-15 16:49:24 [1323] __fnbamd_rad_send-Sent radius req to server 'FortiAuthenticator': fd=12, IP=10.0.0.1(10.0.0.1:1812) code=1 id=31 len=129 user="matanaskovic" using PAP
2022-04-15 16:49:24 [1283] send_radius_challenge_rsp-Timer of rad 'FortiAuthenticator' is added
2022-04-15 16:49:24 [1428] fnbamd_auth_handle_radius_result-Timer of rad 'FortiAuthenticator' is deleted
2022-04-15 16:49:24 [1802] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
2022-04-15 16:49:24 [320] extract_success_vsas-FORTINET attr, type 1, val tac
2022-04-15 16:49:24 [1453] fnbamd_auth_handle_radius_result-->Result for radius svr 'FortiAuthenticator' 10.0.0.1(1) is 0
2022-04-15 16:49:24 [1660] fnbam_user_auth_group_match-req id: 408369957, server: FortiAuthenticator, local auth: 0, dn match: 0
2022-04-15 16:49:24 [277] find_matched_usr_grps-Passed group matching
2022-04-15 16:49:24 [216] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 408369957, len=2153
2022-04-15 16:49:24 [800] destroy_auth_session-delete session 408369957

 

Related article:

https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/719410/create-per-vdom-admin...

Contributors