So I'd like to get some clarification please if what I believe I'm seeing is correct. I'm trying to configure RADIUS authentication with on a Cisco SG500X switch using the FortiAuthenticator for Radius. The "Small Business" Cisco switches don't have a full version of IOS running on them, but I have this working where a member of a Remote LDAP group on the FA logins into the switch SSH it will log them in with priv lvl 1. What I want is to boost this to priv lvl 15, and on a normal IOS switch you would return Cisco-Av-Pair = priv-lvl-15 Radius attribute.
I have attempted to configure this attribute, along with Service-Type = Administrative-User against my Remote LDAP group, but a packet capture shows that the FA is not sending the Radius attributes at all in its Access-Accept packet.
My question is, is this because the FA is looking for a Vendor-Specfic(26) of Cisco as opposed to CiscoSystems in the Access-Request packet? See AVP from Wireshark:
Access-Request:
RADIUS Protocol Code: Access-Request (1) Packet identifier: 0x92 (146) Length: 91 Authenticator: dc040000eb67000083260000a5500000 [The response to this request is in frame 16] Attribute Value Pairs AVP: l=13 t=User-Name(1): ********** User-Name: ********** AVP: l=18 t=User-Password(2): Encrypted User-Password (encrypted): ********** AVP: l=24 t=Vendor-Specific(26) v=ciscoSystems(9) VSA: l=18 t=Cisco-AVPair(1): shell:priv-lvl=1 Cisco-AVPair: shell:priv-lvl=1 AVP: l=6 t=NAS-IP-Address(4): 0.0.0.0 NAS-IP-Address: 0.0.0.0 AVP: l=10 t=Acct-Session-Id(44): 0500009D Acct-Session-Id: 0500009D
Access-Accept:
RADIUS Protocol Code: Access-Accept (2) Packet identifier: 0x92 (146) Length: 20 Authenticator: 9f843da063da5f24b06058248e81534b [This is a response to a request in frame 15] [Time from request: 0.007331000 seconds]
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Duplicate of https://forum.fortinet.com/tm.aspx?m=139574. Answer can be found there.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Duplicate of https://forum.fortinet.com/tm.aspx?m=139574. Answer can be found there.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1519 | |
1019 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.