tnesh
Staff
Staff
Description

This article describes how to configure the FortiPortal (FPC) remote authentication by using FortiAuthenticator (FAC) RADIUS service.

Scope

FortiPortal version 6.0.

Solution

FortiPortal.

 

1) Create Customer Domains:

Go to FortiPortal -> Customers -> Domains -> Key in value ->Create

 

tnesh_0-1663815923425.png

 

Note:

This value will be used in FortiAuthenticator RADIUS User Attributes -> 'Fortinet-tenant-identification'.

 

2) Get Customer site name:

Go to FortiPortal -> Customers -> Sites -> Site Names

 

Note:

These values (site names) will be used in FortiAuthenticator RADIUS User Attributes -> 'Fortinet-fpc-tenant-user-sites'.

 

3) Enable FortiPortal remote authentication:

Go to FortiPortal -> Admin -> Settings -> User Authentication

- Select 'Authentication Access to Remote'

- Select 'Remote Server to RADIUS'

- Enter the value according to the RADIUS server configuration

 

Authentication Access

Remote

Allow Service Provider Usernames without Domain

Enable / Disable

Remote Server

RADIUS

Domains

 

Radius Roles

Create and add the radius roles that required for the RADIUS remote authentication.

 

Note:

This value (Role name) will be used in:

FAC RADIUS User Attributes -> 'Fortinet-fpc-user-role'

Remote Server IP Address

RADIUS (FortiAuthentiator) Server IP Address

Remote Server Port

RADIUS port (default is 1812)

Remote Server Key

RADIUS secret key

Authentication Protocol

RADIUS Authentication protocol (default is PAP)

 

4) Verify all the values and select 'Submit'.

 

FortiAuthenticator.

 

1) Create Local User / Remote User and make sure to enable 'Allow RADIUS authentication'.

 

tnesh_1-1663815923433.png

 

2) Next, add following 'RADIUS Attributes' to the user(s) that need login to FortiPortal via RADIUS.

 

Vendor

Fortinet

Attribute ID

Fortinet-fpc-user-role

Value

< radius role name in fpc radius authentication >

 

Vendor

Fortinet

Attribute ID

Fortinet-tenant-identification

Value

< customer domain name created in fpc >

 

Vendor

Fortinet

Attribute ID

Fortinet-fpc-tenant-user-sites

Value

< site name created under FPC – Customer -site >

 

3) Next, create RADIUS Service in FortiAuthenticator:

Go to FortiAuthenticator -> RADIUS Service -> Clients -> Create New

 

tnesh_2-1663815923435.png

 

4) Create RADIUS Service Policies:

Go to FortiAuthenticator -> RADIUS Service -> Policies -> Create New

 

tnesh_3-1663815923436.png

 

 

Test Scenario.

 

1) Go to FortiPortal GUI and Login with RADIUS user created in FAC

 

Troubleshooting guide.

 

1) Check logs from FortiAuthenticator:

Go to FortiAuthenticatorLogging -> Log Access -> Logs.

 

2) Check logs from FortiPortal GUI:

Go to FortiPortal -> Admin -> System Log -> Start and then, proceed to login with RADIUS user and capture the logs from System Log.

 

Alternatively, can check logs from FortiPortal SSH:

 

# exec shell-
# tail /var/tomcat/util/ftnt_fpc.log -f

 

3) If 'Radius Role does not match with FPC role' appears, it is because RADIUS user attribute does not match with FortiPortal RADIUS role.

 

tnesh_4-1663819967623.png

 

RADIUS attribute: Fortinet-fpc-user-role.

FortiPortal: Admin -> Settings -> User Authentication -> View Radius Roles.

 

4) If 'There is no domain match for the user entered' appears, it is because RADIUS user attribute does not match with FortiPortal customer domain.

 

tnesh_5-1663819984865.png

 

RADIUS attribute: fortinet-tenant-identification.

FortiPortal: Customer -> Edit Customer -> Customer Details -> Domains.

Contributors