FAC 3.3 - IP Subnet as client in Radius Service

jorge_barattini · ‎05-18-2015

Hi,

does anybody know if it's possible to configure an IP Subnet instead of a single IP or FQDN for a Client in Radius Service?

For example, in Freeradius you can define:

client 192.168.1.0/24 { secret = VERYSECRETSTRING }

or

client private-network-1 { ipaddr = 192.168.1.0 netmask = 24 secret = VERYSECRETSTRING shortname = private-network-1 }

Thank you.

Regards.

Jorge.

Carl_Windsor_FTNT · ‎05-18-2015

This is not currently supported, each RADIUS client IP must be specified.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

View solution in original post

emnoc · ‎05-18-2015

I don't think so, to answer where you might be going with this, you can import numerous predefined radius_clients in the authenticator from a CSV file. This will help if you have bulk clients to included

I believe each client has to be uniquely defined hence why you can't do the wildcard. Not sure if anything changed in 3.3 but might want to pull the release not down and review.

PCNSE

NSE

StrongSwan

View solution in original post

Carl_Windsor_FTNT · ‎05-18-2015

This is not currently supported, each RADIUS client IP must be specified.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

emnoc · ‎05-18-2015

I don't think so, to answer where you might be going with this, you can import numerous predefined radius_clients in the authenticator from a CSV file. This will help if you have bulk clients to included

I believe each client has to be uniquely defined hence why you can't do the wildcard. Not sure if anything changed in 3.3 but might want to pull the release not down and review.

PCNSE

NSE

StrongSwan

jorge_barattini · ‎05-19-2015

Thank you guys for the answers.

Actually we are implementing it for a customer with 50+ switches (among other devices that use RADIUS) and it would have been very helpful, but we'll use CSV import.

Maybe I'll pass a NFR.

Regards.

Jorge.

emnoc · ‎05-19-2015

Did you pull the FAC.3.3 or .1 release notes down? It's was release a few days back iirc. I didn't recall any big new items or changes just bug fix but maybe just maybe FTNT add it.

I've asked my SSE team for a bulk configuration tool a few months back, but I'm not holding my breath but if they get enough request, than FTNT might take action.

PCNSE

NSE

StrongSwan

jorge_barattini · ‎05-19-2015

I have just read it and there's nothing relevant. I'll give it a try in a VM, just in case.... you never know....;-)

Ok, I'll talk to SE team here to +1 this, maybe someday.......

Ty.

Regards.

Carl_Windsor_FTNT · ‎05-19-2015

As per previous response this is not supported (even in the latest patch). Each NAS/Auth Client must be defined either by manual method or CSV import.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

emnoc · ‎05-19-2015

Thanks Carl

We had the same struggles and didn't find out about the csv import till later on after we migrated. It would be nice if we had a simple bulk tool for adding a multiples of clients and ALL using the same shared radius-secret per client. If you pushing more than 30+ clients, this would be helpful.

Ideally it would be nice to have a cfgmaker that takes the popluar RAS cfg and rebuild it for the FAC, but than most of the competition doesn't have that function either.

just my suggestion.

PCNSE

NSE

StrongSwan

FAC 3.3 - IP Subnet as client in Radius Service

Nominate a Forum Post for Knowledge Article Creation