We have a Fortigate 200E, running firmware 7.6. IP address of 10.10.0.1 (Internal Software Switch).
I deployed a Freeradius Server, IP 10.10.0.11, for RADIUS based 802.1x WPA-Enterprise authentication for Wifi. The Radius Server is up and running, I can run a radtest from my local machine on the network behind the Fortigate and get successful connections.
This issue is when I go to add the FreeRadius information to the Radius Server section on the Fortigate, I am constantly hit with "Can't contact RADIUS server". My secret and IP are correct. I have tried to make a firewall allow rule from internal to internal, source all, and destination 10.10.0.11 with Radius services, but it didn't make any difference.
I've gone through all the Googling I can, tried setting the Source-ip to the Fortigate, nothing I do is letting the Fortigate connect to the Radius Server.
Any help would be appreciated.
Thanks.
Have you tried "radiusd -X" debug mode with the freeRADIUS? What is your freeRADIUS saying about the reason of auth failure?
I recently posted below because it was rejected with an error "missing mandatory attribute".
https://community.fortinet.com/t5/Support-Forum/RADIUS-attribute-Message-Authenticator/td-p/327120
Toshi
Ya, I've tried that and debug mode show nothing even trying to connect from the Fortigate. It's like the Fortigate isn't routing to the internal IP at all. I'm seeing nothing in the Fortigate logs either.
Hello @RWHuskies ,
In addition to what @Toshi_Esumi said, have you tried entering source-ip in the radius configuration?
config user radius
edit <YOUR_RADIUS_OBJECT_NAME>
set source-ip <x.x.x.x>
end
Created on 08-15-2024 08:56 AM Edited on 08-15-2024 09:21 AM
Yes, I've set the source-ip to the internal interface IP (same as the Fortigate 10.10.0.1) with no change in behaviour. freeradius -X debug mode shows no attempts from the Fortigate. I'm seeing no calls from the Fortigate to the radius server in the Fortigate logs either.
Hello RWHuskies.
Can you please run sniffer on fortigate for your radius server and also do packet capture on outgoing interface to check packet.
Please run below sniffer command.
# diag sniffer packet any "host x.x.x.x" 4 0 l ---> x.x.x.x should be your radius server ip address.
Do a packet capture on connected interface and checked for radius request.
Please click on below link and reference document.
Hi all.
Okay so I was looking for the logs in the wrong place. The Fortigate is trying to connect the the radius server on port 13777 instead of port 8192. If I manually change the port on the radius server to use port 13777, I get a connection and the Radius Server works.
Why would the Fortigate be trying to use port 13777 instead of 8192?
Hi @RWHuskies ,
Normally FortiGate uses port 1812 by default. What you experienced is interesting, to be honest.
Is there any device that does NAT?
However, can you revert the configuration to its previous state and check the port of the requests coming out of Fortigate with the following sniffer command?
diag sniffer packet any "host x.x.x.x" 4 a
There are two places where you can configure radius-port. Check below:
config system global
get | grep radius-port
end
config user radius
edit <radius-name>
get | grep radius-port
next
end
I'm not sure about the different between those two. But I'm guessing the format is system-wide radius port, which is used when you don't specify at each radius config. And the latter would override the global port setting per radius.
Of course, as @ozkanaltas said, if nothing is configured specifically the default radius port is always 1812. radius accounting is 1813.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.