Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alex_talmage
New Contributor

FortiAuthenticator and Cisco SG500X

So I'd like to get some clarification please if what I believe I'm seeing is correct. I'm trying to configure RADIUS authentication with on a Cisco SG500X switch using the FortiAuthenticator for Radius. The "Small Business" Cisco switches don't have a full version of IOS running on them, but I have this working where a member of a Remote LDAP group on the FA logins into the switch SSH it will log them in with priv lvl 1. What I want is to boost this to priv lvl 15, and on a normal IOS switch you would return Cisco-Av-Pair = priv-lvl-15 Radius attribute.

 

I have attempted to configure this attribute, along with Service-Type = Administrative-User against my Remote LDAP group, but a packet capture shows that the FA is not sending the Radius attributes at all in its Access-Accept packet.

 

My question is, is this because the FA is looking for a Vendor-Specfic(26) of Cisco as opposed to CiscoSystems in the Access-Request packet? See AVP from Wireshark:

 

Access-Request:

RADIUS Protocol     Code: Access-Request (1)     Packet identifier: 0x92 (146)     Length: 91     Authenticator: dc040000eb67000083260000a5500000     [The response to this request is in frame 16]     Attribute Value Pairs         AVP: l=13 t=User-Name(1): **********             User-Name: **********         AVP: l=18 t=User-Password(2): Encrypted             User-Password (encrypted): **********         AVP: l=24 t=Vendor-Specific(26) v=ciscoSystems(9)             VSA: l=18 t=Cisco-AVPair(1): shell:priv-lvl=1                 Cisco-AVPair: shell:priv-lvl=1         AVP: l=6 t=NAS-IP-Address(4): 0.0.0.0             NAS-IP-Address: 0.0.0.0         AVP: l=10 t=Acct-Session-Id(44): 0500009D             Acct-Session-Id: 0500009D

Access-Accept:

RADIUS Protocol     Code: Access-Accept (2)     Packet identifier: 0x92 (146)     Length: 20     Authenticator: 9f843da063da5f24b06058248e81534b     [This is a response to a request in frame 15]     [Time from request: 0.007331000 seconds]

1 Solution
Carl_Windsor_FTNT

Duplicate of https://forum.fortinet.com/tm.aspx?m=139574.  Answer can be found there.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

View solution in original post

1 REPLY 1
Carl_Windsor_FTNT

Duplicate of https://forum.fortinet.com/tm.aspx?m=139574.  Answer can be found there.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

Top Kudoed Authors