Hello Everyone,
I'm trying to set up Radius for Fortigate logins and I'm having an issue. When I run the authentication tests from the GUI, it says its successful, but then when trying to login to the device, I get the message "Authentication failure." Its really quick too as if its looking for a local account. Any help would be appreciated.
Thanks!
What RADIUS server are you using? The most common cause of that is the RADIUS server not sending back the group information in the Access-Accept.
See this article for NPS: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-define-group-based-authorization/ta...
You used "Test User Credentials" button, instead of "Test Connectivity", from the GUI when you tested it, right? Then the credential (username/password) is fine. Then probably your group config and/or admin config might have a problem.
Show us both in CLI or GUI. In CLI, those are under "config user group" and "config system admin".
Toshi
Correct, "Test User Credential" works in the GUI.
Here you are:
Test-FG40-1 # config user group
Test-FG40-1 (group) # sh
config user group
edit "SSO_Guest_Users"
next
edit "Guest-group"
set member "guest"
next
edit "NPS_FGT_Admins"
set member "RADIUS"
next
end
Test-FG40-1 # conf sys admin
Test-FG40-1 (admin) # sh
config system admin
edit "admin"
set trusthost1 10.0.0.0 255.0.0.0
set trusthost2 172.16.0.0 255.240.0.0
set trusthost3 192.168.0.0 255.255.0.0
set accprofile "super_admin"
set vdom "root"
set password ENC <password>
next
end
I just figured it out after I replied. I needed to add the admin account for RADIUS. I appreciate your help!
You don't have a remote admin created. It could be like:
config system admin
edit "radius-admin"
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set wildcard enable
set remote-group "NPS_FGT_Admins"
next
end
Toshi
Are you referencing specific Radius group or all groups. If referencing specific group you need to configure VSA on radius to send the group name to fortigate. If this not the case and you referencing all group, then try the following CLI command to give you a clue about what's going on as in first article:
Thank you
When I try to log in to the Fortigate device, I get an "Authentication failure" message almost instantly, as if it’s bypassing the RADIUS server and checking for a local account instead.
Created on 09-09-2024 10:01 AM Edited on 09-09-2024 10:02 AM
You can't remote-authenticate a username, which exists in local admin config such as "admin". FGT looks up local admins first, before contacting the radius server based on "set wildcard enable" I showed in the radius admin user config.
If you want to confirm, you can always sniff packet like below:
diag sniffer packet any "port 1812" 4 0 l
to see if the auth request packets are going out.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.