Description
This article explains how to setup a FortiGate in the scenario where Radius server is used to authenticate FortiGate admin users, and fallback to local backup password is required if the Radius server does not respond.
Scope
FortiGate.
Solution
Note:
This setting requires a local admin account to be created.
If local accounts should not be used (using only existing accounts on the Radius server), consult the KB article on the field 'Related articles'.
Radius server configuration:
config user radius
edit "FACVM"
set server "172.16.190.100"
set secret SUPERSECRETPASSWORD
set auth-type ms_chap_v2
next
end
User group configuration with the Radius server user group:
config user group
edit "radiusgroup"
set member "FACVM"
config match
edit 1
set server-name "FACVM"
set group-name "radiusgroup"
next
end
next
end
Local admin account configuration with the remote authentication and local backup password:
config system admin
edit "radiusadmin"
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set remote-group "radiusgroup"
set password fortinetlocal
next
end
Verification:
- When the Radius server is up, connect to the FortiGate with "radiususer1/radiuspassword"; access is granted:
diagnose debug application fnbamd -
diagnose debug enable
# [2274] handle_req-Rcvd auth req 457812065 for radiususer1 in radiusgroup opt=00010001 prot=10
[398] __compose_group_list_from_req-Group 'radiusgroup'
[614] fnbamd_pop3_start-radiususer1
[608] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'FACVM' for usergroup 'radiusgroup' (10)
[305] fnbamd_create_radius_socket-Opened radius socket 15
[305] fnbamd_create_radius_socket-Opened radius socket 16
[1342] fnbamd_radius_auth_send-Compose RADIUS request
[1309] fnbamd_rad_dns_cb-172.16.190.100->172.16.190.100
[1284] __fnbamd_rad_send-Sent radius req to server 'FACVM': fd=15, IP=172.16.190.100(172.16.190.100:1812) code=1 id=128 len=164 user="radiususer1" using MS-CHAPv2
[282] radius_server_auth-Timer of rad 'FACVM' is added
[718] auth_tac_plus_start-Didn't find tac_plus servers (0)
[439] ldap_start-Didn't find ldap servers (0)
[557] create_auth_session-Total 1 server(s) to try
[2406] fnbamd_auth_handle_radius_result-Timer of rad 'FACVM' is deleted
[1750] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[309] extract_success_vsas-FORTINET attr, type 1, val radiusgroup
[2432] fnbamd_auth_handle_radius_result <-----Result for radius svr 'FACVM' 172.16.190.100(1) is 0 >>> 0=Authetication successful, 1=Authentication failed
[2356] fnbamd_radius_group_match-Passed group matching
[1031] find_matched_usr_grps-Group 'radiusgroup' passed group matching
[1032] find_matched_usr_grps-Add matched group 'radiusgroup'(10)
- When Radius server is down , connect to the FortiGate with " radiususer1/ radiuspassword " ; access is denied
diagnose debug application fnbamd -1
diagnose debug enable
# [2274] handle_req-Rcvd auth req 457812067 for radiususer1 in radiusgroup opt=00010001 prot=10
[398] __compose_group_list_from_req-Group 'radiusgroup'
[614] fnbamd_pop3_start-radiususer1
[608] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'FACVM' for usergroup 'radiusgroup' (10)
[305] fnbamd_create_radius_socket-Opened radius socket 15
[305] fnbamd_create_radius_socket-Opened radius socket 16
[1342] fnbamd_radius_auth_send-Compose RADIUS request
[1309] fnbamd_rad_dns_cb-172.16.190.100->172.16.190.100
[1284] __fnbamd_rad_send-Sent radius req to server 'FACVM': fd=15, IP=172.16.190.100(172.16.190.100:1812) code=1 id=130 len=164 user="radiususer1" using MS-CHAPv2
[282] radius_server_auth-Timer of rad 'FACVM' is added
[718] auth_tac_plus_start-Didn't find tac_plus servers (0)
[439] ldap_start-Didn't find ldap servers (0)
[557] create_auth_session-Total 1 server(s) to try
[47] handle_rad_timeout-rad 'FACVM' 172.16.190.100 timed out, resend request.
[1284] __fnbamd_rad_send-Sent radius req to server 'FACVM': fd=15, IP=172.16.190.100(172.16.190.100:1812) code=1 id=130 len=164 user="radiususer1" using MS-CHAPv2
[63] handle_rad_timeout-Timer of rad 'FACVM' is added
[3197] handle_auth_timeout_with_retry-Retry
[396] radius_stop-Timer of rad 'FACVM' is deleted
[1039] fnbamd_auth_retry-svr_type = 2
[608] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'FACVM' for usergroup 'radiusgroup' (10)
[341] radius_start-Didn't find radius servers (0)
[3215] handle_auth_timeout_with_retry-retry failed
- When the Radius server is down, connect to the FortiGate with 'radiususer1/fortinetlocal'; access is granted Time and the list of connected administrators before connecting with the 'radiususer1/fortinetlocal':
execute time
current time is: 16:11:20
last ntp sync:Wed Oct 2 15:49:13 2019
get sys info admin status
Index User name Login type From
Logged in users: 3
USERNAME TYPE FROM TIME
admin https 172.16.191.5 Wed Oct 2 10:47:26 2019
admin https 172.16.191.1 Wed Oct 2 11:06:56 2019
admin ssh 10.109.63.254 Wed Oct 2 15:16:57 2019
FortiGate will try to authenticate by using the Radius server and after failure, it will try to use the local backup password:
diagnose debug application fnbamd -1
diagnose debug enabl
# [2274] handle_req-Rcvd auth req 457812070 for radiususer1 in radiusgroup opt=00010001 prot=10
[398] __compose_group_list_from_req-Group 'radiusgroup'
[341] radius_start-Didn't find radius servers (0)
[3215] handle_auth_timeout_with_retry-retry failed
Time and list of connected administrators after connecting with the 'radiususer1/fortinetlocal':
execute time
current time is: 16:13:06
last ntp sync:Wed Oct 2 15:49:13 2019
get sys info admin status
Index User name Login type From
Logged in users: 4
USERNAME TYPE FROM TIME
admin https 172.16.191.5 Wed Oct 2 10:47:26 2019
admin https 172.16.191.1 Wed Oct 2 11:06:56 2019
admin ssh 10.109.63.254 Wed Oct 2 15:16:57 2019
radiususer1 http 10.109.63.254 Wed Oct 2 16:12:40 2019
Related Articles
Technical Tip: Remote admin login with Radius selecting admin access account profile
Technical Note: FortiGate admin authentication using radius groups fails
