Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexHelloworld
New Contributor

Can't connect to Forti authenticator as RADIUS server

Hi i have installed FortiAuthenticator and setted it up as Radius server according to Cookbok.

trying to connect to it from Fortigate, and i can't, got error.

It is successfuly get users from LDAP server, everything cool.

I have scanned ports from outside - RADIUS port closed, but it is opened on FORTIGATE, i mean policies ALLOWED everything to this Fortiaythenticator and everything from it.

Ssh, ping, everything works fine.

Anybody knows how to troubleshoot it? Radius doesnt works :(

Thank you!

1 Solution
xsilver_FTNT
Staff
Staff

Hi,

have a look to https://<your-fac/debug/ to have a look to RADIUS debug.

Packet capture should also help, at least to see if you get any response to Access-Request sent from FGT.

My guess is that you have no response from FortiAuthenticator (FAC) because you have missed to set or misconfigured GUI > Authentication > RADIUS Service > Clients .. so FAC is not even responding to unknown client (your FGT). If you do have NAT/route traffic from FGT to FAC, then check (packet capture on FAC) with which IP FGT Access-Request came into your FAC.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

View solution in original post

7 REPLIES 7
xsilver_FTNT
Staff
Staff

Hi,

have a look to https://<your-fac/debug/ to have a look to RADIUS debug.

Packet capture should also help, at least to see if you get any response to Access-Request sent from FGT.

My guess is that you have no response from FortiAuthenticator (FAC) because you have missed to set or misconfigured GUI > Authentication > RADIUS Service > Clients .. so FAC is not even responding to unknown client (your FGT). If you do have NAT/route traffic from FGT to FAC, then check (packet capture on FAC) with which IP FGT Access-Request came into your FAC.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

AlexHelloworld

xsilver wrote:

Hi,

have a look to https://<your-fac/debug/ to have a look to RADIUS debug.

Packet capture should also help, at least to see if you get any response to Access-Request sent from FGT.

My guess is that you have no response from FortiAuthenticator (FAC) because you have missed to set or misconfigured GUI > Authentication > RADIUS Service > Clients .. so FAC is not even responding to unknown client (your FGT). If you do have NAT/route traffic from FGT to FAC, then check (packet capture on FAC) with which IP FGT Access-Request came into your FAC.

Thanks mate, yeah realy that, it is from debug: 2019-09-26T09:33:57.139846+08:00 BH-FORTIAUTH-01 radiusd[16273]: Ignoring request to authentication address * port 1812 from unknown client 192.168.XX.XX port 16743

xsilver_FTNT

AlexHelloworld wrote:

2019-09-26T09:33:57.139846+08:00 BH-FORTIAUTH-01 radiusd[16273]: Ignoring request to authentication address * port 1812 from unknown client 192.168.XX.XX port 16743

 

That's it! Clearly stating that there is no respective Client config in RADIUS Service and so FortiAuthenticator is simply dropping Access-Request (which is expected by design, so we are not leaking out any responses that there is something missing).

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

AlexHelloworld

xsilver wrote:

Hi,

have a look to https://<your-fac/debug/ to have a look to RADIUS debug.

Packet capture should also help, at least to see if you get any response to Access-Request sent from FGT.

My guess is that you have no response from FortiAuthenticator (FAC) because you have missed to set or misconfigured GUI > Authentication > RADIUS Service > Clients .. so FAC is not even responding to unknown client (your FGT). If you do have NAT/route traffic from FGT to FAC, then check (packet capture on FAC) with which IP FGT Access-Request came into your FAC.

It is Offtop, but could you advice me please - i have users from LDAP, there is local realm configured and have no possibility to add LDAP realm. Should i sync it from remote to local or it will be work with remote users?

xsilver_FTNT

AlexHelloworld wrote:

I have users from LDAP, there is local realm configured and have no possibility to add LDAP realm. Should i sync it from remote to local or it will be work with remote users?

 

If you do have LDAP Remote Auth. Server defined, then have a look to GUI > Authentication > User Management > Realms

and there you can bond your LDAP to Realm to be able to use it in RADIUS Client later on.

It is defined locally on FortiAuthenticator (FAC), has nothing to do with Kerberos Realm in AD, and therefore realm on FAC can not be synced. But users can be synced via Remote User Sync Rules and so authenticated via Realm bonded to LDAP they came through.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Nytro

On FAC: Assuming you have already imported your users from remote LDAP, create a user group. add those users to the group. Create a RADIUS client. This is your fortigate. on the bottom right, turn on the 'Groups' filter and add the user group you created with the remote LDAP users. Select the realm. The realm should be your AD realm name that the remote LDAP users are a part of, and is binded to the LDAP server (AD) in your config.

On your fortigate, configure the RADIUS server (the FAC). Then create a user group. There will be no local members. SElect remote groups, choose the RADIUS server you just created, and for groups, type in the group name you created on the FAC with the LDAP users. Type case must be an exact match. Go back to 'RADIUS server' section and test connectivity using an AD credential of a member in the group you created on the FAC. 

Cheers!

Noel

Cheers! Noel
xsilver_FTNT

Good summary (4* credit), except for necessity to have group name exactly same.

Referring to: "and for groups, type in the group name you created on the FAC with the LDAP users. Type case must be an exact match."

 

As if your intention is to do RADIUS Group Match ..  https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36464 Then what is the group membership checked on FGT against, is NOT a group name as on FAC (it could be whatever else), but additional RADIUS attribute added either to user, but in this case rather to group (and inherited to all group members).

And that RADIUS AVP I'm talking about is Fortinet-Group-Name.

In short, RADIUS AVP is what FGT is looking for and not a name of group on FAC.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors