Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Catch-all RADIUS client?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Catch-all RADIUS client?
Running FAC 5.4.1 in HA.
We have several different RADIUS clients defined on our FAC. Mostly for VPN systems. Different systems use different realms, or are not sourced from contiguous IP space.
I would like to have our FortiGate administrator access controlled by FAC. However they all come from various IP space, and defining a RADIUS client for each one is not feasible.
I tried to define a new RADIUS client using client source IP of 0.0.0.0 and defined a matching RADIUS client attribute. However, what I observed is that the FAC matched this entry first, instead of matching the more specific RADIUS client entries with specific source IPs defined. Even after removing that entry, the matching still occurred as shown in the RADIUS debug logs. I had to reboot the FAC to get VPN authentication working again.
Is there a way to define a catch-all RADIUS client entry that is only used if a more specific entry does not match? Or a way to sort RADIUS client profiles to force which ones the FAC evaluates first?
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm probably missing how many FortiGates (FGT), where you want admin auth from FortiAuthenticator (FAC), you have.
If this si more than one FGT, then I guess those are coming to FAC through some management VLAN/NET, right? Alt. try to supernet those into some common subnet/range.
Q: Is there a way to define a catch-all RADIUS client entry that is only used if a more specific entry does not match?A:
AFAIK no, Clients are supposed to address specific NAS-es. And I would also suggest to consider this limitation as first step of protection. As attacker who is unable to fake correct NAS-ID or source IP will not be served.
If you do implement something like catch-all NAS, then you will disable/disarm this initial test/requirement and protection completely. For me it's bad idea.
Q: Or a way to sort RADIUS client profiles to force which ones the FAC evaluates first?
A:
Note in profile config states this clearly I think:
Profiles will be applied in top-to-bottom order based on matching RADIUS attributes.
If the profile has no attributes to match, that profile will always be applied before any beneath it.
So try to combine profiles, profile ordering and "Apply this profile based on RADIUS attributes." with realms.
Hint: if there is no matching realm in profile, user will be tried to authenticate against realm marked as 'Default'.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have upwards of 500 FortiGates. Most are not using a common management subnet.
Profiles will be applied in top-to-bottom order based on matching RADIUS attributes.
There is no way I can see to control the evaluation of RADIUS client definitions when there is multiple matching source IP addresses. Ie, if one RADIUS client has source IP of 10.0.0.0/24 defined as the source, and another has 10.10.10.10/32 defined, the behavior of which will be examined first is not predictable. In my limited testing, the RADIUS session will be matched against the least specific (10.0.0.0/24) first - which is often undesirable. To combine profiles would require all all clients (profiles) use the same RADIUS PSK, which may not be desirable either.
Ideally the RADIUS client list would function more like a standard ACL ruleset. Where these rules can be sorted to force specific evaluation priority. Doing so would greatly increase the flexibility and power of the FAC system in my opinion. Additionally, each RADIUS client definition would support multiple source IP address entries, to accommodate disparate network segmentation present in the real world. So that a new system of the same type can be easily merged into FAC authentication, w/o having to replicate another RADIUS client definition.
Thanks for the reply. I will ask my SE about this.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After working with my SE I was able to get this working, specifying a range of "0.0.0.0-224.0.0.0".
I have several more specific entries based on source IP address that have continued to function normally after adding that new client.
Attached is screenshot showing how I configured it to specifically handle administrative access to FortiGate firewalls.
Edit: can't get image to upload. its here on imgur for the time being:
[link]https://imgur.com/AfpgsHz[/link]
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- external 2FA for ftgt ssl vpn 346 Views
- Radius and syslog fails 248 Views
- What FortiOS Event Logs should i... 868 Views
- EAP-TLS for Remote Users 496 Views
- Best practices for securing corporate wifi... 488 Views
Labels
-
FortiGate
8,082 -
FortiClient
1,624 -
5.2
801 -
FortiManager
682 -
5.4
639 -
FortiAnalyzer
518 -
FortiAP
427 -
FortiSwitch
426 -
6.0
416 -
FortiClient EMS
366 -
5.6
362 -
FortiMail
301 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
189 -
SSL-VPN
179 -
FortiNAC
163 -
IPsec
154 -
6.4
128 -
FortiGuard
125 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
94 -
SD-WAN
89 -
FortiToken
86 -
Customer Service
74 -
Wireless Controller
74 -
FortiAuthenticator
70 -
4.0MR3
64 -
Firewall policy
58 -
FortiProxy
53 -
Fortivoice
50 -
FortiEDR
50 -
FortiADC
49 -
FortiExtender
43 -
VLAN
42 -
FortiDNS
41 -
High Availability
41 -
FortiSandbox
39 -
ZTNA
37 -
FortiGate v5.4
35 -
Routing
35 -
LDAP
34 -
FortiSwitch v6.4
33 -
DNS
33 -
BGP
32 -
SAML
31 -
Certificate
30 -
Interface
29 -
SSO
27 -
NAT
27 -
FortiConnect
26 -
FortiConverter
25 -
Authentication
25 -
FortiWAN
24 -
RADIUS
24 -
FortiLink
24 -
FortiGate v5.2
23 -
VDOM
23 -
Application control
21 -
Web profile
21 -
Virtual IP
20 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Fortigate Cloud
18 -
Logging
18 -
Traffic shaping
17 -
FortiMonitor
16 -
FortiPAM
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
OSPF
13 -
FortiCASB
12 -
SSID
12 -
Admin
12 -
IP address management - IPAM
12 -
FortiManager v5.0
11 -
Automation
11 -
Static route
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiSOAR
10 -
FortiRecorder
10 -
SNMP
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
System settings
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
RMA Information and Announcements
8 -
IPS signature
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Security profile
7 -
Traffic shaping policy
7 -
Port policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Fabric connector
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Replacement messages
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1517 | |
| 1013 | |
| 749 | |
| 443 | |
| 209 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.