Can you configure RADIUS groups for FortiAnalyzer admins?

neonbit · ‎08-18-2015

Does anyone know if you can configure RADIUS groups for the FAZ? I can't seem to find any information on this in the admin guides or CLI.

What I'm trying to do is have users loging to a RADIUS server (FortiAuthenticator in this instance) and from there be given role based access.

For example if the user belongs in the 'admin' group they would be given full access, but if they're in the 'partners' group they would be given access to the report/fortiview.

I'm going blind trying to figure this out! :)

AtiT · ‎08-19-2015

Hi,

Yes you can.

1) Create a radius profile: System Settings -> Admin -> Remote Auth Server

2) go to CLI and define the NAS-IP address to be the IP address to your FAZ:

config sys admin radius

edit <your radius name or press the TAB button>

set nas-ip <the IP address of your FAZ>

end

3) Create admin profile(s) under System Settings -> Admin -> Profile and choose what you want to allow or disable for the admin(s).

4) Create a new admin with the same name as you have it on the radius server. Set the type to your radius and choose the created radius server. DO NOT select the Wiledcard option. DO NOT fill the password. Choose the required profile for the admin and ADOM settings and click OK.

5) Repeat the step 4) for the other admins.

Log out from the analyzer and log in with the different admin account. Have a fun!

Remember: the admin name has to be an existing name that can be checked by the radius server. The password will be checked by the radius and grant access. According to the admin name the FAZ will choose the admin profile.

AtiT

View solution in original post

aggi · ‎08-19-2015

Under your wildcard admin put 'set radius-accprofile-override enable'. Then create access profiles with the same name as the radius groups.

Megatron

View solution in original post

emnoc · ‎08-19-2015

Neon

you can define access_profile attributes for the clients, but the catch the access-Profile needs to be configured on the fortigate. Fortigate supports like 6 or 8 Vendor Specific Attribute IIRC.

example;

# sample radius user file w/ accprof

#

HQadmin Crypt-Password == "$1$BbERshNY$.wcjjBzwe/i82ILJuajeWs/"

User-Service-Type = Login-User

Fortinet-Access-Profile = admin_full

ENGadmin Crypt-Password == "$1$BEdsJWs$.xkueWldiwe/w62ILWkiuuSs/"

User-Service-Type = Login-User

Fortinet-Access-Profile = adminrestricted

SOCgroup1 Cleartext-Password = "MySOCG3d4uejd"

User-Service-Type = Login-User

Fortinet-Access-Profile = readonly

Just make sure the Access Profile exists or if no you will locked out the user

PCNSE

NSE

StrongSwan

View solution in original post

AtiT · ‎08-19-2015

Hi,

Yes you can.

1) Create a radius profile: System Settings -> Admin -> Remote Auth Server

2) go to CLI and define the NAS-IP address to be the IP address to your FAZ:

config sys admin radius

edit <your radius name or press the TAB button>

set nas-ip <the IP address of your FAZ>

end

3) Create admin profile(s) under System Settings -> Admin -> Profile and choose what you want to allow or disable for the admin(s).

4) Create a new admin with the same name as you have it on the radius server. Set the type to your radius and choose the created radius server. DO NOT select the Wiledcard option. DO NOT fill the password. Choose the required profile for the admin and ADOM settings and click OK.

5) Repeat the step 4) for the other admins.

Log out from the analyzer and log in with the different admin account. Have a fun!

Remember: the admin name has to be an existing name that can be checked by the radius server. The password will be checked by the radius and grant access. According to the admin name the FAZ will choose the admin profile.

AtiT

AtiT · ‎08-19-2015

It is not a radius group but you have to configure each username on the FAZ.

AtiT

aggi · ‎08-19-2015

Under your wildcard admin put 'set radius-accprofile-override enable'. Then create access profiles with the same name as the radius groups.

Megatron

emnoc · ‎08-19-2015

Neon

you can define access_profile attributes for the clients, but the catch the access-Profile needs to be configured on the fortigate. Fortigate supports like 6 or 8 Vendor Specific Attribute IIRC.

example;

# sample radius user file w/ accprof

#

HQadmin Crypt-Password == "$1$BbERshNY$.wcjjBzwe/i82ILJuajeWs/"

User-Service-Type = Login-User

Fortinet-Access-Profile = admin_full

ENGadmin Crypt-Password == "$1$BEdsJWs$.xkueWldiwe/w62ILWkiuuSs/"

User-Service-Type = Login-User

Fortinet-Access-Profile = adminrestricted

SOCgroup1 Cleartext-Password = "MySOCG3d4uejd"

User-Service-Type = Login-User

Fortinet-Access-Profile = readonly

Just make sure the Access Profile exists or if no you will locked out the user

PCNSE

NSE

StrongSwan

neonbit · ‎08-19-2015

Yeeessss!!! Thanks for the info guys, it's working great now :D

My final steps were:

Created an admin user with wildcard that uses the RADIUS server.

Created separate access profiles with names matching my RADIUS groups.

Edited the admin user via CLI and enabled the radius-accprofile-override setting.

Initially I had a problem with the RADIUS group attributes not matching up. On the FortiAuthenticator I configured the groups to reply with the Fortinet-Group-Name attribute for RADIUS authentication (this was to service the FortiGate). This attribute didn't work for the FAZ. I added the Fortinet-Access-Profile attribute and the FAZ picked it up. So now I have both RADIUS attributes configured on my FortiAuthenticator (pic attached), one to service the FortiGate and the other for the FortiAnalyzer.

Thanks again guys!

AtiT · ‎08-20-2015

Hi,

this solution seems to me more elegant. I tried to set this up but I have a problem.

I have 2 admin groups - Admin and Report-read-only.

All users from both groups can login but have the same permissions that is set under the wildecard admin profile.

I also enabled the radius-accprofile-override: enable

It seems that the FAZ not makes a difference between profile attributes.

The radius server is Windows 2008 R2 NPS policy server.

The FAZ is FAZ-VM 5.2.3 (trial version for testing in vmware player).

I set the vendor specific attribute to attribute 6:

## Fortinet’s VSA’s # VENDOR fortinet 12356 BEGIN-VENDOR fortinet ATTRIBUTE Fortinet-Group-Name 1 string ATTRIBUTE Fortinet-Client-IP-Address 2 ipaddr ATTRIBUTE Fortinet-Vdom-Name 3 string ATTRIBUTE Fortinet-Client-IPv6-Address 4 octets ATTRIBUTE Fortinet-Interface-Name 5 string ATTRIBUTE Fortinet-Access-Profile 6 string ## Integer Translations # END-VENDOR Fortinet

AtiT

emnoc · ‎08-20-2015

Great, can you debug the radius accept/response on that radius server?

I have little experience on the MS radius and NP but I'm sure theire some debug method. if you have a radtest equal diagnostic command , you can try that also.

PCNSE

NSE

StrongSwan

AtiT · ‎08-20-2015

Hi,

Yes I did it. It is working now. The problem was with the Radius server where another network policy catched the authentication request and if the profile does not match the profile under admin user defined is applied.

Thank you for support.

AtiT

wifisupport · ‎03-28-2016

Ηi all, Do you know if it is possible to configure TACACS for FortiAnalyzer? I tried to configure but authorization doesn 't work properly. thanks in advance! A.

Can you configure RADIUS groups for FortiAnalyzer admins?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website