Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
neonbit
Valued Contributor

Can you configure RADIUS groups for FortiAnalyzer admins?

Does anyone know if you can configure RADIUS groups for the FAZ? I can't seem to find any information on this in the admin guides or CLI.

 

What I'm trying to do is have users loging to a RADIUS server (FortiAuthenticator in this instance) and from there be given role based access.

 

For example if the user belongs in the 'admin' group they would be given full access, but if they're in the 'partners' group they would be given access to the report/fortiview.

 

I'm going blind trying to figure this out! :)

3 Solutions
AtiT
Valued Contributor

Hi,

 

Yes you can.

1) Create a radius profile: System Settings -> Admin -> Remote Auth Server

2) go to CLI and define the NAS-IP address to be the IP address to your FAZ:

 config sys admin radius

 edit <your radius name or press the TAB button>

 set nas-ip <the IP address of your FAZ>

 end

3) Create admin profile(s) under System Settings -> Admin -> Profile and choose what you want to allow or disable for the admin(s).

4) Create a new admin with the same name as you have it on the radius server. Set the type to your radius and choose the created radius server. DO NOT select the Wiledcard option. DO NOT fill the password. Choose the required profile for the admin and ADOM settings and click OK.

5) Repeat the step 4) for the other admins.

 

Log out from the analyzer and log in with the different admin account. Have a fun!

 

Remember: the admin name has to be an existing name that can be checked by the radius server. The password will be checked by the radius and grant access. According to the admin name the FAZ will choose the admin profile.

 

 

AtiT

View solution in original post

AtiT
aggi
New Contributor

Under your wildcard admin put 'set radius-accprofile-override enable'. Then create access profiles with the same name as the radius groups.

Megatron

View solution in original post

Megatron
emnoc
Esteemed Contributor III

Neon

you can define  access_profile attributes for the  clients, but the catch  the access-Profile needs to be configured on the  fortigate. Fortigate  supports like  6 or 8  Vendor Specific Attribute IIRC.

 

 

example;

 

# sample  radius user file w/ accprof

#

HQadmin   Crypt-Password == "$1$BbERshNY$.wcjjBzwe/i82ILJuajeWs/"

               User-Service-Type = Login-User

               Fortinet-Access-Profile =  admin_full

 

ENGadmin Crypt-Password == "$1$BEdsJWs$.xkueWldiwe/w62ILWkiuuSs/"

               User-Service-Type = Login-User

               Fortinet-Access-Profile =  adminrestricted

 

SOCgroup1 Cleartext-Password = "MySOCG3d4uejd"

               User-Service-Type = Login-User

               Fortinet-Access-Profile =  readonly

 

Just make sure  the Access Profile exists  or if  no you will locked out the user

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
9 REPLIES 9
AtiT
Valued Contributor

Hi,

 

Yes you can.

1) Create a radius profile: System Settings -> Admin -> Remote Auth Server

2) go to CLI and define the NAS-IP address to be the IP address to your FAZ:

 config sys admin radius

 edit <your radius name or press the TAB button>

 set nas-ip <the IP address of your FAZ>

 end

3) Create admin profile(s) under System Settings -> Admin -> Profile and choose what you want to allow or disable for the admin(s).

4) Create a new admin with the same name as you have it on the radius server. Set the type to your radius and choose the created radius server. DO NOT select the Wiledcard option. DO NOT fill the password. Choose the required profile for the admin and ADOM settings and click OK.

5) Repeat the step 4) for the other admins.

 

Log out from the analyzer and log in with the different admin account. Have a fun!

 

Remember: the admin name has to be an existing name that can be checked by the radius server. The password will be checked by the radius and grant access. According to the admin name the FAZ will choose the admin profile.

 

 

AtiT

AtiT
AtiT
Valued Contributor

It is not a radius group but you have to configure each username on the FAZ.

 

AtiT

AtiT
aggi
New Contributor

Under your wildcard admin put 'set radius-accprofile-override enable'. Then create access profiles with the same name as the radius groups.

Megatron
Megatron
emnoc
Esteemed Contributor III

Neon

you can define  access_profile attributes for the  clients, but the catch  the access-Profile needs to be configured on the  fortigate. Fortigate  supports like  6 or 8  Vendor Specific Attribute IIRC.

 

 

example;

 

# sample  radius user file w/ accprof

#

HQadmin   Crypt-Password == "$1$BbERshNY$.wcjjBzwe/i82ILJuajeWs/"

               User-Service-Type = Login-User

               Fortinet-Access-Profile =  admin_full

 

ENGadmin Crypt-Password == "$1$BEdsJWs$.xkueWldiwe/w62ILWkiuuSs/"

               User-Service-Type = Login-User

               Fortinet-Access-Profile =  adminrestricted

 

SOCgroup1 Cleartext-Password = "MySOCG3d4uejd"

               User-Service-Type = Login-User

               Fortinet-Access-Profile =  readonly

 

Just make sure  the Access Profile exists  or if  no you will locked out the user

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
neonbit
Valued Contributor

Yeeessss!!! Thanks for the info guys, it's working great now :D

 

My final steps were: 

 

Created an admin user with wildcard that uses the RADIUS server.

 

Created separate access profiles with names matching my RADIUS groups.

 

Edited the admin user via CLI and enabled the radius-accprofile-override setting.

 

Initially I had a problem with the RADIUS group attributes not matching up. On the FortiAuthenticator I configured the groups to reply with the Fortinet-Group-Name attribute for RADIUS authentication (this was to service the FortiGate). This attribute didn't work for the FAZ. I added the Fortinet-Access-Profile attribute and the FAZ picked it up. So now I have both RADIUS attributes configured on my FortiAuthenticator (pic attached), one to service the FortiGate and the other for the FortiAnalyzer.

 

Thanks again guys!

AtiT
Valued Contributor

Hi,

this solution seems to me more elegant. I tried to set this up but I have a problem.

I have 2 admin groups - Admin and Report-read-only.

All users from both groups can login but have the same permissions that is set under the wildecard admin profile.

I also enabled the radius-accprofile-override: enable

 

It seems that the FAZ not makes a difference between profile attributes.

The radius server is Windows 2008 R2 NPS policy server.

The FAZ is FAZ-VM 5.2.3 (trial version for testing in vmware player).

 

I set the vendor specific attribute to attribute 6:

 

## Fortinet’s VSA’s # VENDOR fortinet 12356 BEGIN-VENDOR fortinet ATTRIBUTE Fortinet-Group-Name 1 string ATTRIBUTE Fortinet-Client-IP-Address 2 ipaddr ATTRIBUTE Fortinet-Vdom-Name 3 string ATTRIBUTE Fortinet-Client-IPv6-Address 4 octets ATTRIBUTE Fortinet-Interface-Name 5 string ATTRIBUTE Fortinet-Access-Profile 6 string ## Integer Translations # END-VENDOR Fortinet

 

AtiT

AtiT
emnoc
Esteemed Contributor III

Great, can you debug the radius accept/response on that radius server?

 

I have little  experience on the MS radius and NP but I'm sure theire some debug method.  if you have a radtest  equal diagnostic command , you can try that also.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
AtiT
Valued Contributor

Hi,

Yes I did it. It is working now. The problem was with the Radius server where another network policy catched the authentication request and if the profile does not match the profile under admin user defined is applied.

 

Thank you for support.

AtiT

AtiT
wifisupport
New Contributor

Ηi all, Do you know if it is possible to configure TACACS for FortiAnalyzer? I tried to configure but authorization doesn 't work properly. thanks in advance! A.

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors