Hi all,
I am trying to configure freeRADIUS authentication for my admin users (for SSL-VPN it already works fine).
TCP dump on freeRADIUS server:
13:37:01.644817 IP (tos 0x0, ttl 64, id 25529, offset 0, flags [DF], proto UDP (17), length 123)
_gateway.18643 > freeradius.radius: [udp sum ok] RADIUS, length: 95
Access-Request (1), id: 0x18, Authenticator: ff42014eccec17e98bcac1d64831295e
NAS-Identifier Attribute (32), length: 14, Value: FG-PlanetTen
0x0000: 4647 2d50 6c61 6e65 7454 656e
User-Name Attribute (1), length: 8, Value: Kasper
0x0000: 4b61 7370 6572
CHAP-Password Attribute (3), length: 19, Value:
0x0000: da2d 1f86 6bb3 8a73 b7d3 0447 5420 f4f7
0x0010: cc
NAS-Port-Type Attribute (61), length: 6, Value: Virtual
0x0000: 0000 0005
Acct-Session-Id Attribute (44), length: 10, Value: 337797f9
0x0000: 3333 3737 3937 6639
Connect-Info Attribute (77), length: 6, Value: test
0x0000: 7465 7374
Vendor-Specific Attribute (26), length: 12, Value: Vendor: Unknown (12356)
Vendor Attribute: 3, Length: 4, Value: root
0x0000: 0000 3044 0306 726f 6f74
13:37:01.648991 IP (tos 0x0, ttl 64, id 5016, offset 0, flags [none], proto UDP (17), length 101)
freeradius.radius > _gateway.18643: [bad udp cksum 0x1536 -> 0x7ca3!] RADIUS, length: 73
Access-Accept (2), id: 0x18, Authenticator: 5fa8ccf058121adf70590c06276d9d82
Vendor-Specific Attribute (26), length: 23, Value: Vendor: Unknown (12356)
Vendor Attribute: 1, Length: 15, Value: Firewall_Admins
0x0000: 0000 3044 0111 4669 7265 7761 6c6c 5f41
0x0010: 646d 696e 73
Vendor-Specific Attribute (26), length: 18, Value: Vendor: Unknown (12356)
Vendor Attribute: 6, Length: 10, Value: prof_admin
0x0000: 0000 3044 060c 7072 6f66 5f61 646d 696e
Vendor-Specific Attribute (26), length: 12, Value: Vendor: Unknown (12356)
Vendor Attribute: 3, Length: 4, Value: root
0x0000: 0000 3044 0306 726f 6f74
freeRADIUS debug log:
rlm_sql_mysql: Starting connect to MySQL serverAnd lastly, Fortigate log:
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.29-0ubuntu0.18.04.1, protocol version 10
(3) [sql] = ok
(3) [expiration] = noop
(3) [logintime] = noop
(3) pap: WARNING: Auth-Type already set. Not setting to PAP
(3) [pap] = noop
(3) } # authorize = ok
(3) Found Auth-Type = CHAP
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Auth-Type CHAP {
(3) chap: Comparing with "known good" Cleartext-Password
(3) chap: CHAP user "Kasper" authenticated successfully
(3) [chap] = ok
(3) } # Auth-Type CHAP = ok
(3) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(3) post-auth {
(3) update {
(3) No attributes updated
(3) } # update = noop
(3) sql: EXPAND .query
(3) sql: --> .query
(3) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (10)
(3) sql: EXPAND %{User-Name}
(3) sql: --> Kasper
(3) sql: SQL-User-Name set to 'Kasper'
(3) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(3) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'Kasper', '0xda2d1f866bb38a73b7d304475420f4f7cc', 'Access-Accept', '2020-03-31 13:37:01')
(3) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'Kasper', '0xda2d1f866bb38a73b7d304475420f4f7cc', 'Access-Accept', '2020-03-31 13:37:01')
(3) sql: SQL query returned: success
(3) sql: 1 record(s) updated
rlm_sql (sql): Released connection (10)
(3) [sql] = ok
(3) [exec] = noop
(3) policy remove_reply_message_if_eap {
(3) if (&reply:EAP-Message && &reply:Reply-Message) {
(3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(3) else {
(3) [noop] = noop
(3) } # else = noop
(3) } # policy remove_reply_message_if_eap = noop
(3) } # post-auth = ok
(3) Sent Access-Accept Id 24 from 10.4.0.203:1812 to 10.4.0.1:18643 length 0
(3) Fortinet-Group-Name = "Firewall_Admins"
(3) Fortinet-Access-Profile = "prof_admin"
(3) Fortinet-Vdom-Name = "root"
(3) Finished request
Waking up in 4.9 seconds.
(3) Cleaning up request packet ID 24 with timestamp +708
FG-PlanetTen $ diagnose test authserver radius freeRADIUS chap Kasper ******
[2254] handle_req-Rcvd auth req 863475705 for Kasper in freeRADIUS opt=0000001d prot=1
[406] __compose_group_list_from_req-Group 'freeRADIUS'
[615] fnbamd_pop3_start-Kasper
[539] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'freeRADIUS'
[305] fnbamd_create_radius_socket-Opened radius socket 15
[305] fnbamd_create_radius_socket-Opened radius socket 16
[1338] fnbamd_radius_auth_send-Compose RADIUS request
[1305] fnbamd_rad_dns_cb-10.4.0.203->10.4.0.203
[1280] __fnbamd_rad_send-Sent radius req to server 'freeRADIUS': fd=15, IP=10.4.0.203(10.4.0.203:1812) code=1 id=24 len=95 user="Kasper" using CHAP
[282] radius_server_auth-Timer of rad 'freeRADIUS' is added
[565] create_auth_session-Total 1 server(s) to try
[2515] fnbamd_auth_handle_radius_result-Timer of rad 'freeRADIUS' is deleted
[1742] fnbamd_radius_auth_validate_pkt-Invalid digest
[2531] fnbamd_auth_handle_radius_result-Error validating radius rsp
[2921] handle_auth_rsp-Error (5) for req 863475705
[181] fnbamd_comm_send_result-Sending result 5 (error 0, nid 0) for req 863475705
authenticate 'Kasper' against 'chap' failed, assigned_rad_session_id=863475705 session_timeout=0 secs idle_timeout=0 secs!
[719] destroy_auth_session-delete session 863475705
So, freeradius & packetcapture actually shows accept-access response, so that looks fine to me.
However, for some reason Fortigate says authentication failed.
I did perform a packet capture on Fortigate as well in order to determine whether the access-accept packet actually arrives there (which is the case, see attached picture).
If someone knows whats going wrong and could explain it to me I would appreciate it a lot!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Nevermind. I just fixed it... I changed the shared secret and had forgotten to restart freeRADIUS server so the shared secret DB wasn't reloaded yet....
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.