Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bock_samson
New Contributor II

Forticlient Radius Authentication Across IPSEC Tunnel

Currently, I manage small pools of locally configured building engineer accounts on several remote sites (all fortigate) that hub&spoke topology back to our main site. They use forticlient to connect to their local FG network to manage what they need to manage. My boss wants us to move this authentication from me managing local accounts to them authenticating with their AD credentials to our radius server back at the main site. Currently, when clients connect with FC to our main site they use radius auth (MS NPS). 

 

I've configured radius authentication on one of the remote FGs

 

edit "RADIUS-01"
        set server "x.x.x.x" (server IP)
        set secret ENC 32HGInwGoQ0aUnuzGS6FrcSgyB8on8I1Ugyfwm/SeNjKfLNQSbePRS29upRikZo3m34eh3qW5o3E8085RlmzYMu45eCCw9KADJoEdvQkpn5iX2sQS8PKze9rOiKPJ5z6RDR61o7Q9WzC7kxKH9CeOwhxTOj3sWwH0kl/JM/hJnoxPF4gHZD0J5TMOX7ZJVQ9IcF/rA==
        set timeout 30
        set auth-type pap
        set source-ip "x.x.x.x" (local interface gw of subnet allowed to talk across the tunnel)
        set interface-select-method specify
        set interface "CORP" (tunnel interface back to main site)

 

I've tested ping and traceroute sourcing from the local interface and get positive responses so the traffic is allowed across the tunnel from that interface, but I am still getting "Can't contact RADIUS server"

 

Looking for any guidance. 

 

6 REPLIES 6
dbu
Staff
Staff

Hi @bock_samson ,

It looks like the remote Radius server is not responding to these requests. 

You can take a packet capture on the NPS server and see if you receive the Access-Request and what happens with it. 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
bock_samson
New Contributor II

I took the pcaps and tracked the traffic through both firewalls to the NPS server to waiting to hear back from the server admin on what he finds

pminarik
Staff
Staff

"set source-ip" is typically enough when dealing with IPsec tunnels without IPs (which I assume is the problem you're trying to solve with this).

Standard troubleshooting should give you some hints: Do debug flow and packet sniffer on the remote FGT. If it looks good, do the same on the next-hop, etc. up until you hit the NPS server, where you can check packets with Wireshark, or NPS logs with Event Viewer.

[ corrections always welcome ]
funkylicious
SuperUser
SuperUser

Is the FortiGate defined as a client on the RADIUS server, also ports UDP/1812 - UDP/1813 are allowed ?

Usually that would be the main reason that it says that i cant contact it if you have L3 connectivity.

geek
geek
bock_samson

they should be but I have the server admin checking the server

sw2090
SuperUser
SuperUser

I think there is a misunderstanding hiere:

 

- FortiClient does not communicate with the radius. It just does xauth with the FGT. If the user is a radius user or member of a radius user group that is in the VPNs xauth section the FGt will communicate with the radius. So the the source ip in the radius settings should be the ip the Fortigate uses to talk to it.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors