Technical Tip: SSL VPN authentication with remote RADIUS Servers

There are two scenarios when multiple RADIUS Servers are involved. The configuration can be as follows:

1. There are two different RADIUS entries and two user groups are used per RADIUS Server.
2. One RADIUS Server configured with Primary and Secondary RADIUS server entry

To explain this we will be using the following topology:

FortiGate 10.14.2.125
RADIUS Server 1 10.14.2.112
RADIUS Server 2 10.14.2.135

Scenario 1: FortiGate configuration is as follows:

config user radius
    edit "FAC1"
        set server "10.14.2.112"
        set secret xxx

    next
        edit "FAC2"
            set server "10.14.2.135"
            set secret xxx

        next
    end

config user group
    edit "sslpvn1"
        set member "FAC1"
    next
        edit "sslvpn2"
            set member "FAC2"
        next
    end

config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
        config authentication-rule
            edit 1
                set groups "sslpvn1"
                set portal "full-access"
            next
                edit 2
                    set groups "sslvpn2"
                    set portal "full-access"
                next
            end
        end

In this case, FortiGate will simultaneously reach out to both servers at the same time and it will choose the group of the server that responds first (in this case it is the sslvpn2 group as FAC2 replies first):

diag deb app fnbamd -1
Debug messages will be on for 30 minutes.
diag deb app sslvpn -1
Debug messages will be on for 30 minutes.
diag deb console timestamp en
diag deb en
.....
2024-07-23 13:07:37 [506:root:d][fam_auth_send_req_internal:426] Groups sent to FNBAM:
2024-07-23 13:07:37 [506:root:d]group_desc[0].grpname = sslpvn1
2024-07-23 13:07:37 [506:root:d]group_desc[1].grpname = sslvpn2
2024-07-23 13:07:37 [506:root:d][fam_auth_send_req_internal:438] FNBAM opt = 0X200421
2024-07-23 13:07:37 [1916] handle_req-Rcvd auth req 818553853 for user1 in opt=00200421 prot=11
2024-07-23 13:07:37 [475] __compose_group_list_from_req-Group 'sslpvn1', type 1
2024-07-23 13:07:37 [475] __compose_group_list_from_req-Group 'sslvpn2', type 1
2024-07-23 13:07:37 [616] fnbamd_pop3_start-user1
2024-07-23 13:07:37 [587] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'FAC1' for usergroup 'sslpvn1' (2)
2024-07-23 13:07:37 [587] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'FAC2' for usergroup 'sslvpn2' (3)
2024-07-23 13:07:37 [342] fnbamd_create_radius_socket-Opened radius socket 13
2024-07-23 13:07:37 [342] fnbamd_create_radius_socket-Opened radius socket 14
2024-07-23 13:07:37 [1396] fnbamd_radius_auth_send-Compose RADIUS request
2024-07-23 13:07:37 [1353] fnbamd_rad_dns_cb-10.14.2.112->10.14.2.112
2024-07-23 13:07:37 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=4 len=126 user="user1" us
ing PAP
2024-07-23 13:07:37 [319] radius_server_auth-Timer of rad 'FAC1' is added
2024-07-23 13:07:37 [1396] fnbamd_radius_auth_send-Compose RADIUS request
2024-07-23 13:07:37 [1353] fnbamd_rad_dns_cb-10.14.2.135->10.14.2.135
2024-07-23 13:07:37 [506:root:d]fam_auth_send_req_internal:514 fnbam_auth return: 4
2024-07-23 13:07:37 [506:root:d]fam_auth_send_req:1007 task finished with 4
2024-07-23 13:07:37 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC2': fd=13, IP=10.14.2.135(10.14.2.135:1812) code=1 id=5 len=126 user="user1" us
ing PAP
2024-07-23 13:07:37 [319] radius_server_auth-Timer of rad 'FAC2' is added
2024-07-23 13:07:37 [754] auth_tac_plus_start-Didn't find tac_plus servers (0)
2024-07-23 13:07:37 [1034] __fnbamd_cfg_get_ldap_list_by_group-
2024-07-23 13:07:37 [1150] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 0
2024-07-23 13:07:37 [491] ldap_start-Didn't find ldap servers
2024-07-23 13:07:37 [642] create_auth_session-Total 2 server(s) to try
2024-07-23 13:07:37 [1360] fnbamd_auth_handle_radius_result-Timer of rad 'FAC2' is deleted
2024-07-23 13:07:37 [1805] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
2024-07-23 13:07:37 [1385] fnbamd_auth_handle_radius_result-->Result for radius svr 'FAC2' 10.14.2.135(1) is 0
2024-07-23 13:07:37 [1658] fnbam_user_auth_group_match-req id: 818553853, server: FAC2, local auth: 0, dn match: 0
2024-07-23 13:07:37 [1627] __group_match-Group 'sslvpn2' passed group matching
2024-07-23 13:07:37 [1630] __group_match-Add matched group 'sslvpn2'(3)
2024-07-23 13:07:37 [286] find_matched_usr_grps-Passed group matching
2024-07-23 13:07:37 [216] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 818553853, len=2148
2024-07-23 13:07:37 [506:root:d]fam_auth_proc_resp:1352 fnbam_auth_update_result return: 0 (success)
2024-07-23 13:07:37 [506:root:d][fam_auth_proc_resp:1451] Authenticated groups (1) by FNBAM with auth_type (2):
2024-07-23 13:07:37 [506:root:d]Received: auth_rsp_data.grp_list[0] = 3
2024-07-23 13:07:37 [506:root:d]fam_auth_proc_resp:1476 found node sslvpn2:0:, valid:1, auth:0
2024-07-23 13:07:37 [798] destroy_auth_session-delete session 818553853
2024-07-23 13:07:37 2024-07-23 13:07:37 [506:root:d]Validated: auth_rsp_data.grp_list[0] = sslvpn2
[443] radius_stop-Timer of rad 'FAC1' is deleted
2024-07-23 13:07:37 [506:root:d]Auth successful for user user1 in group sslvpn2

Scenario 2:

config user radius
    edit "FAC1"
        set server "10.14.2.112"
        set secret xxx
        set secondary-server "10.14.2.135"
        set secondary-secret xxx

    next
end

config user group
    edit "sslpvn1"
        set member "FAC1"
    next
end

config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
        config authentication-rule
            edit 1
                set groups "sslpvn1"
                set portal "full-access"
            next
        end
    end

FortiGate will try to reach the primary server and then wait for the remote auth timeout (90 seconds in this case) and then reach to secondary server

2024-07-23 16:29:57 [1916] handle_req-Rcvd auth req 818553854 for user1 in opt=00200421 prot=11
2024-07-23 16:29:57 [475] __compose_group_list_from_req-Group 'sslpvn1', type 1
2024-07-23 16:29:57 [616] fnbamd_pop3_start-user1
2024-07-23 16:29:57 2024-07-23 16:29:57 [506:root:11]fam_auth_send_req_internal:514 fnbam_auth return: 4
2024-07-23 16:29:57 [587] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'FAC1' for usergroup 'sslpvn1' (2)
[506:root:11]fam_auth_send_req:1007 task finished with 4
2024-07-23 16:29:57 [342] fnbamd_create_radius_socket-Opened radius socket 13
2024-07-23 16:29:57 [342] fnbamd_create_radius_socket-Opened radius socket 14
2024-07-23 16:29:57 [1396] fnbamd_radius_auth_send-Compose RADIUS request
2024-07-23 16:29:57 [1353] fnbamd_rad_dns_cb-10.14.2.112->10.14.2.112
2024-07-23 16:29:57 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:29:57 [319] radius_server_auth-Timer of rad 'FAC1' is added
2024-07-23 16:29:57 [754] auth_tac_plus_start-Didn't find tac_plus servers (0)
2024-07-23 16:29:57 [1034] __fnbamd_cfg_get_ldap_list_by_group-
2024-07-23 16:29:57 [1150] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 0
2024-07-23 16:29:57 [491] ldap_start-Didn't find ldap servers
2024-07-23 16:29:57 [642] create_auth_session-Total 1 server(s) to try
2024-07-23 16:30:02 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:30:02 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:30:02 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:30:07 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:30:07 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:30:07 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:30:12 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:30:12 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:30:12 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:30:17 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:30:17 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:30:17 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:30:22 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:30:22 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:30:22 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:30:27 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:30:27 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:30:27 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:30:32 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:30:32 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:30:32 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:30:37 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:30:37 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:30:37 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:30:42 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:30:42 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:30:42 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:30:47 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:30:47 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:30:47 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:30:52 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:30:52 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:30:52 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:30:57 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:30:57 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:30:57 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:31:02 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:31:02 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:31:02 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:31:07 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:31:07 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:31:07 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:31:12 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:31:12 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:31:12 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:31:17 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:31:17 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:31:17 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:31:22 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:31:22 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:31:22 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:31:27 [47] handle_rad_timeout-rad 'FAC1' 10.14.2.112 timed out, resend request.
2024-07-23 16:31:27 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.112(10.14.2.112:1812) code=1 id=6 len=126 user="user1" us
ing PAP
2024-07-23 16:31:27 [63] handle_rad_timeout-Timer of rad 'FAC1' is added
2024-07-23 16:31:29 [2822] handle_auth_timeout_with_retry-Retry
2024-07-23 16:31:29 [443] radius_stop-Timer of rad 'FAC1' is deleted
2024-07-23 16:31:29 [1070] fnbamd_auth_retry-svr_type = 2
2024-07-23 16:31:29 [587] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'FAC1' for usergroup 'sslpvn1' (2)
2024-07-23 16:31:29 [342] fnbamd_create_radius_socket-Opened radius socket 13
2024-07-23 16:31:29 [342] fnbamd_create_radius_socket-Opened radius socket 14
2024-07-23 16:31:29 [1396] fnbamd_radius_auth_send-Compose RADIUS request
2024-07-23 16:31:29 [1353] fnbamd_rad_dns_cb-10.14.2.135->10.14.2.135
2024-07-23 16:31:29 [1325] __fnbamd_rad_send-Sent radius req to server 'FAC1': fd=13, IP=10.14.2.135(10.14.2.135:1812) code=1 id=7 len=126 user="user1" us
ing PAP
2024-07-23 16:31:29 [319] radius_server_auth-Timer of rad 'FAC1' is added
2024-07-23 16:31:29 [1360] fnbamd_auth_handle_radius_result-Timer of rad 'FAC1' is deleted
2024-07-23 16:31:29 [1805] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
2024-07-23 16:31:29 [1385] fnbamd_auth_handle_radius_result-->Result for radius svr 'FAC1' 10.14.2.135(2) is 0
2024-07-23 16:31:29 [1658] fnbam_user_auth_group_match-req id: 818553854, server: FAC1, local auth: 0, dn match: 0
2024-07-23 16:31:29 [1627] __group_match-Group 'sslpvn1' passed group matching
2024-07-23 16:31:29 [1630] __group_match-Add matched group 'sslpvn1'(2)
2024-07-23 16:31:29 [286] find_matched_usr_grps-Passed group matching
2024-07-23 16:31:29 [216] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 818553854, len=2148
2024-07-23 16:31:29 [506:root:11]fam_auth_proc_resp:1352 fnbam_auth_update_result return: 0 (success)
2024-07-23 16:31:29 [506:root:11][fam_auth_proc_resp:1451] Authenticated groups (1) by FNBAM with auth_type (2):
2024-07-23 16:31:29 [506:root:11]Received: auth_rsp_data.grp_list[0] = 2
2024-07-23 16:31:29 [506:root:11]fam_auth_proc_resp:1476 found node sslpvn1:0:, valid:1, auth:0
2024-07-23 16:31:29 [506:root:11]Validated: auth_rsp_data.grp_list[0] = sslpvn1
2024-07-23 16:31:29 [506:root:11]Auth successful for user user1 in group sslpvn1