Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jorge_barattini
New Contributor

FAC 3.3 - IP Subnet as client in Radius Service

Hi,

does anybody know if it's possible to configure an IP Subnet instead of a single IP or FQDN for a Client in Radius Service?

 

For example, in Freeradius you can define:

 

client 192.168.1.0/24 { secret = VERYSECRETSTRING }

 

or

 

client private-network-1 { ipaddr = 192.168.1.0 netmask = 24 secret = VERYSECRETSTRING shortname = private-network-1 }

 

Thank you.

 

Regards.

 

Jorge.

2 Solutions
Carl_Windsor_FTNT

This is not currently supported, each RADIUS client IP must be specified.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

View solution in original post

emnoc
Esteemed Contributor III

I don't think so, to answer where you might be going with this, you can import numerous  predefined  radius_clients in the authenticator from a CSV file. This will help if you have bulk  clients to included

 

I believe each client has to be uniquely defined hence why you can't do the  wildcard. Not sure if anything changed in  3.3 but might want to pull the  release not down and review.

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
7 REPLIES 7
Carl_Windsor_FTNT

This is not currently supported, each RADIUS client IP must be specified.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

emnoc
Esteemed Contributor III

I don't think so, to answer where you might be going with this, you can import numerous  predefined  radius_clients in the authenticator from a CSV file. This will help if you have bulk  clients to included

 

I believe each client has to be uniquely defined hence why you can't do the  wildcard. Not sure if anything changed in  3.3 but might want to pull the  release not down and review.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jorge_barattini

Thank you guys for the answers.

Actually we are implementing it for a customer with 50+ switches (among other devices that use RADIUS) and it would have been very helpful, but we'll use CSV import.

 

Maybe I'll pass a NFR.

 

Regards.

 

Jorge.

emnoc
Esteemed Contributor III

Did you pull the  FAC.3.3 or .1 release notes down? It's was release a few days back iirc. I didn't recall any big new items or changes just bug fix but maybe just  maybe FTNT add it.

 

I've asked my SSE team for a bulk configuration tool a few months back, but I'm not holding my breath but if they get enough request, than FTNT might take action.

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jorge_barattini

I have just read it and there's nothing relevant. I'll give it a try in a VM, just in case.... you never know....;-)

 

Ok, I'll talk to SE team here to +1 this, maybe someday.......

 

Ty.

 

Regards.

Carl_Windsor_FTNT

As per previous response this is not supported (even in the latest patch).  Each NAS/Auth Client must be defined either by manual method or CSV import.

 

Dr. Carl Windsor Field Chief Technology Officer Fortinet

emnoc
Esteemed Contributor III

Thanks Carl

 

We had the same struggles  and didn't find out about the  csv import till later on after we migrated. It would be nice if we had a simple bulk tool for adding a multiples of  clients and ALL using the same shared radius-secret per client. If you pushing more than 30+ clients,  this would be helpful.

 

Ideally it would be nice to have a cfgmaker that takes  the popluar RAS cfg  and rebuild it for the FAC, but than most of the competition doesn't have that function either.

 

just my suggestion.

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Top Kudoed Authors