Hello,
I want to configure SSL VPN authentication using FreeRADIUS, but I want only users belonging to specific group to have access to the network. Users and groups are stored on FreeRADIUS host as a local linux users and groups. How FreeRADIUS user config file should look like to achieve this?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
FortiGate is sending Access-Request with user name and password and in exchange expect either Access-Reject (user authentication failed) or Access-Accept (user is OK). If you have a group match set to something but "any" then FortiGate does string comparison of configured towards Fortinet-Group-Name AVP which should be provided by RADIUS server inside Access-Accept. Note that it is simple string comparison, and the group string sent by RADIUS server might not have any relevance to actual user groups on the server itself.
Simple FreeRADIUS config example (user=grptest, password=fortinet, memberOf=group1):
---
grptest Cleartext-Password := "fortinet" User-Service-Type = Login-User, Group = "group1", Fortinet-Group-Name = "group1"
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
You need to look at the "Fortinet-Group-Name" attribute not 100% sure how the radius conf or user db would look like. But what I would do is to run the freeradius daemon in dbeug mode and see what attribute is being sent by the NAS client ( FGT ) and then research the freeradius forums for examples
I think you can debug this from the fortigate also.
PCNSE
NSE
StrongSwan
FortiGate is sending Access-Request with user name and password and in exchange expect either Access-Reject (user authentication failed) or Access-Accept (user is OK). If you have a group match set to something but "any" then FortiGate does string comparison of configured towards Fortinet-Group-Name AVP which should be provided by RADIUS server inside Access-Accept. Note that it is simple string comparison, and the group string sent by RADIUS server might not have any relevance to actual user groups on the server itself.
Simple FreeRADIUS config example (user=grptest, password=fortinet, memberOf=group1):
---
grptest Cleartext-Password := "fortinet" User-Service-Type = Login-User, Group = "group1", Fortinet-Group-Name = "group1"
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Yeah what he said, the client only sends the NAS_ID user and the encrypted hashed based on secret. You will need to publish in your radius the other attributes.
10:11:30.014958 IP (tos 0x0, ttl 62, id 59575, offset 0, flags [none], proto UDP (17), length 88) x.x.x.x.1043 > 10.2.1.7.1812: [udp sum ok] RADIUS, length: 60 Access Request (1), id: 0x00, Authenticator: 6e9223245dc594207be6c3407c1c49ce NAS ID Attribute (32), length: 8, Value: HOTEL01 0x0000: 4745 5445 5341 Username Attribute (1), length: 14, Value: kfelixsslvpn 0x0000: 6b66 656c 6978 7373 6c76 706e Password Attribute (2), length: 18, Value: 0x0000: ae28 1a68 3263 8358 0934 e71d a1d4 5bf7
I don't know what the check book "enable groups" does on the fortigtate remote authentication but you might want to play around with it.
Hint: If you have a radtest utility on teh radius server, you could probably conduct a radius submittal and see debug the radius server before you pull in the fortigate
btw: here's a snapshot of radtest against a radius service to validate the attribute;
RAD01: RAD01: radtest testing password localhost 0 testing123 Sending Access-Request of id 8 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "password" NAS-IP-Address = 10.200.41.55 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=8, length=42 Service-Type = Login-User Fortinet-Group-Name = "SSLVPNSA" RAD01:
It was done locally before the fortinet_client hope that helps.
PCNSE
NSE
StrongSwan
.. and if you would combine that RADIUS output showing radtest properly populating Fortinet_Group_Name with bellow config, then any user on RADIUS server who present that string ("SSLVPNSA" , and I assume that just selected users will do so) will pass and will be seen as member of the "GRP_RADIUS-1" on FGT
config user group
edit "GRP_RADIUS-1" set member "RADIUS-SERVER.11" config match edit 1 set server-name "RADIUS-SERVER.11" set group-name "SSLVPNSA" next end next
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
NAS Client, in this case FortiGate does not send Fortinet-Group-Name, never! It expect that AVP being provided by NAS server (RADIUS server) in Access-Accept (if user pass authentication).
And then FortiGate compare string-by-string what is in group match config and what he got from RADIUS server. If it matches perfectly (100% match) then the user is considered as member of that group, otherwise he isn't.
"Include in every user group" option is another story.
In CLI it's "set all-usergroup Enable/disable automatically include this RADIUS server to all user groups."
So if used then this RADIUS server is silently used in every possible user group. It is not even listed as member of the group. Handful when you want to add single RADIUS server into too many groups and you know the consequences. Usually it makes more troubles and questions like "why the user passed auth when he is not on member list?".
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Thanks for the clarity. Like I said I never seen any string per-se for the group from the NAS client. You can run the server in a debug and see that and confirm.
PCNSE
NSE
StrongSwan
Ok, after some time I've managed to set up RADIUS on Synology device. Very simple and short setup in fact.
There are some non standard config files but generally it is still FreeRAIUS server, inside file located at:
/usr/local/synoradius/rad_users, I have:
DEFAULT Auth-Type = System, Group-Name == "MyGroup"
Fortinet-Group-Name = "MyGroup"
It works as I expected.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.