Just my findings about this. Someone else might be drowning in the same marsh..
I had serious problems with a client's 600D not honoring the configured LDAP groups for VPN authentication. It turned out that the Fortigate authenticated all users against radius... No radius users are configured. But during the auth sequence, the firewall check for radius config, then tacacs config, then ldap. If it finds a radius server, it proceeds to authenticate the users on that! I am still waiting for the TAC to tell me if this really is the expected behaviour, but I suspect not. It would be impossible to use more then one type of authentication server then. Well, as it is now at least. The solution for me was to remove the radius config - Hey presto! LDAP works, groups are honored!
Or wait, there was a 2nd snafu: LDAPS was configured, all checks were green in gui. But LDAP auth fails with "unsupported protocol" when you do your diag debug on auth...
Richie
NSE7
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
My understanding was it's supposed to send an auth request to all remote auth servers configured in the group(s). I don't know the exact decision making process if multiple servers replied with conflicting answers: "pass" and "deny", though. Was that working fine with 6.0.5? Or which version did you upgraded the 600D from, then found this problem?
We actually just ran into this same issue and have a ticket in on it. In our case, we added in a new Radius server and user group but had not even applied it anywhere and it started trying to authenticate SSL VPN users against it. I don't know if it was the same on 6.0.5 as I added the Radius server in after upgrade.
kgipe wrote:Aha! That kinda screams bug to me... We upgraded the firewall all the way from 5.2.14 -->6.0.6 via the supported upgrade path. I don't know about the firmware versions inbetween, but this was not a problem in 5.2.13.We actually just ran into this same issue and have a ticket in on it. In our case, we added in a new Radius server and user group but had not even applied it anywhere and it started trying to authenticate SSL VPN users against it. I don't know if it was the same on 6.0.5 as I added the Radius server in after upgrade.
Anyway, for our setup, it is solvable, but if you depend on your radius for other things, you're kinda toast right now. Let's hope for a fix soonish.
Richie
NSE7
Probably that's the key - NOT configured in any groups - in other words, not used. In our office we use FGT60E w/ 6.0.5 and it has two different sets of RADIUS servers for WiFi and admin user authentication. But so far it's acting as expected after upgraded from 5.6.6.
I actually tried to configure a few radius groups, didn't make any difference.
So, you'll have to upgrade to 6.0.6 to find out. :)
Richie
NSE7
Either of you, please let the rest of us know when you get a bug ID. By that time you would know more about the conditions.
I was planning to upgrade our 60E cluster to 6.0.6 in a couple of weeks. I'll test auth for two different user groups w/ different RADIUS servers. Then if it doesn't work as expected, I'll revert it (swap the partitions) to go back to 6.0.5.
Hello kallbrandt,
Do you have in you RADIUS configuration : "set all-usergroup enable" ?
livo
Nope, but I think I just found the reason. It seems that radius authentication was triggered by several separate events. We had an old radius policy that sent back a vendor specific option that applied a non-existing user-group (something was obviously setup for testing in back in 2015 or so, with a usergroup that must have existed back then). The radius policy was pretty much wide open, an active account was enough. The Fortigate was triggered to continue to auth all users with Radius after that. I guess because the vendor specific option was returned to the fw, it decided to go with radius auth. I have no other explanation. When I removed the vendor specific option, radius was not triggered. Note once again that NO radius users NOR groups is configured. Everything is using LDAP. IMHO, radius auth should not be triggered if no users/groups are configured, but I guess this "exploit" is not that practical to make use of, since it requires admin access to the fw in order to set the radius up.
Richie
NSE7
toshiesumi wrote:The thing is - the radius servers was NOT configured in any groups or users - They were just present in the config and reachable.My understanding was it's supposed to send an auth request to all remote auth servers configured in the group(s). I don't know the exact decision making process if multiple servers replied with conflicting answers: "pass" and "deny", though. Was that working fine with 6.0.5? Or which version did you upgraded the 600D from, then found this problem?
Richie
NSE7
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1094 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.