Technical Tip: How to configure FortiPortal remote authentication using FortiAuthenticator RADIUS service

tnesh · ‎09-21-2022

Description

This article describes how to configure the FortiPortal (FPC) remote authentication by using FortiAuthenticator (FAC) RADIUS service.

Scope

FortiPortal version 6.0.

Solution

FortiPortal.

1) Create Customer Domains:

Go to FortiPortal -> Customers -> Domains -> Key in value ->Create

Note:

This value will be used in FortiAuthenticator RADIUS User Attributes -> 'Fortinet-tenant-identification'.

2) Get Customer site name:

Go to FortiPortal -> Customers -> Sites -> Site Names

Note:

These values (site names) will be used in FortiAuthenticator RADIUS User Attributes -> 'Fortinet-fpc-tenant-user-sites'.

3) Enable FortiPortal remote authentication:

Go to FortiPortal -> Admin -> Settings -> User Authentication

- Select 'Authentication Access to Remote'

- Select 'Remote Server to RADIUS'

- Enter the value according to the RADIUS server configuration

Authentication Access	Remote
Allow Service Provider Usernames without Domain	Enable / Disable
Remote Server	RADIUS
Domains
Radius Roles	Create and add the radius roles that required for the RADIUS remote authentication. Note: This value (Role name) will be used in: FAC RADIUS User Attributes -> 'Fortinet-fpc-user-role'
Remote Server IP Address	RADIUS (FortiAuthentiator) Server IP Address
Remote Server Port	RADIUS port (default is 1812)
Remote Server Key	RADIUS secret key
Authentication Protocol	RADIUS Authentication protocol (default is PAP)

4) Verify all the values and select 'Submit'.

FortiAuthenticator.

1) Create Local User / Remote User and make sure to enable 'Allow RADIUS authentication'.

2) Next, add following 'RADIUS Attributes' to the user(s) that need login to FortiPortal via RADIUS.

Vendor	Fortinet
Attribute ID	Fortinet-fpc-user-role
Value	< radius role name in fpc radius authentication >

Vendor	Fortinet
Attribute ID	Fortinet-tenant-identification
Value	< customer domain name created in fpc >

Vendor	Fortinet
Attribute ID	Fortinet-fpc-tenant-user-sites
Value	< site name created under FPC – Customer -site >

3) Next, create RADIUS Service in FortiAuthenticator:

Go to FortiAuthenticator -> RADIUS Service -> Clients -> Create New

4) Create RADIUS Service Policies:

Go to FortiAuthenticator -> RADIUS Service -> Policies -> Create New

Test Scenario.

1) Go to FortiPortal GUI and Login with RADIUS user created in FAC

Troubleshooting guide.

1) Check logs from FortiAuthenticator:

Go to FortiAuthenticatorLogging -> Log Access -> Logs.

2) Check logs from FortiPortal GUI:

Go to FortiPortal -> Admin -> System Log -> Start and then, proceed to login with RADIUS user and capture the logs from System Log.

Alternatively, can check logs from FortiPortal SSH:

# exec shell-
# tail /var/tomcat/util/ftnt_fpc.log -f

3) If 'Radius Role does not match with FPC role' appears, it is because RADIUS user attribute does not match with FortiPortal RADIUS role.

RADIUS attribute: Fortinet-fpc-user-role.

FortiPortal: Admin -> Settings -> User Authentication -> View Radius Roles.

4) If 'There is no domain match for the user entered' appears, it is because RADIUS user attribute does not match with FortiPortal customer domain.

RADIUS attribute: fortinet-tenant-identification.

FortiPortal: Customer -> Edit Customer -> Customer Details -> Domains.