I am trying to make authentication using free radius server with fortigate , I can send ping between fortigate and ubuntu machine which freeradius run on it , but when I trying to add radius server from USER,Devices section the server can not be reach , and there is no any request coming to free radius from fortigate ,I don;t know why is that , I can send ping but can not reach radius server
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I don't where you're looking at to see the error. But you can check RADIUS connectivity at GUI, User & Device->RADIUS Servers->edit "server_name" and "Test Connectivity" button. When you hit it and enter one of username/passwd of users, you should see RADIUS request then reply (UDP 1812 on server side) in "diag sniffer packet any 'host SERVER_IP' 4" like below:
19.058198 lan out 192.168.1.254.3949 -> 172.16.1.1.1812: udp 52 20.060076 lan in 172.16.1.11.1812 -> 192.168.1.254.3949: udp 20
If you don't see them, something is wrong with the RADIUS config on the FGT. Not much to configure though; server IP, seret pass, and nas-ip generally.
I would check logs on radius server and client. If the secret is wrong, or wrong defined service-port, or if the system set for DTLS-TLS these will generate almost no response back to the radius-client. You can dump on packet captures to see the radius-accept/reject messages.
PCNSE
NSE
StrongSwan
Are you doing this over VPN?
yes over vpn
I can access to freeradius using another fortigate but on this fortigate I can not access , radius service working on 1812 port
If your running it over VPN than you'll need to specify a source IP for radius.
If you're using VDOM these would be the commands
c v
edit "vdom name" No Quotes
config user radius
edit "Name you gave it" no quotes
set source-ip "Firewall LAN ip" no quotes
end
end
if you do not have VDOM's enabled the commands are
config user radius
edit "Name you gave it" no quotes
set source-ip "Firewall LAN ip" no quotes
end
end
Try those and let me know if that helped or if you have any questions
If a server is available behind VLANs, make sure to add source-Ip as that actual interface or LAn IP, not VLAN IP.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.