- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FreeRADIUS using Fortinet-Group-Name attribute
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FreeRADIUS using Fortinet-Group-Name attribute
Hello,
I want to configure SSL VPN authentication using FreeRADIUS, but I want only users belonging to specific group to have access to the network. Users and groups are stored on FreeRADIUS host as a local linux users and groups. How FreeRADIUS user config file should look like to achieve this?
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate is sending Access-Request with user name and password and in exchange expect either Access-Reject (user authentication failed) or Access-Accept (user is OK). If you have a group match set to something but "any" then FortiGate does string comparison of configured towards Fortinet-Group-Name AVP which should be provided by RADIUS server inside Access-Accept. Note that it is simple string comparison, and the group string sent by RADIUS server might not have any relevance to actual user groups on the server itself.
Simple FreeRADIUS config example (user=grptest, password=fortinet, memberOf=group1):
---
grptest Cleartext-Password := "fortinet" User-Service-Type = Login-User, Group = "group1", Fortinet-Group-Name = "group1"
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to look at the "Fortinet-Group-Name" attribute not 100% sure how the radius conf or user db would look like. But what I would do is to run the freeradius daemon in dbeug mode and see what attribute is being sent by the NAS client ( FGT ) and then research the freeradius forums for examples
I think you can debug this from the fortigate also.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate is sending Access-Request with user name and password and in exchange expect either Access-Reject (user authentication failed) or Access-Accept (user is OK). If you have a group match set to something but "any" then FortiGate does string comparison of configured towards Fortinet-Group-Name AVP which should be provided by RADIUS server inside Access-Accept. Note that it is simple string comparison, and the group string sent by RADIUS server might not have any relevance to actual user groups on the server itself.
Simple FreeRADIUS config example (user=grptest, password=fortinet, memberOf=group1):
---
grptest Cleartext-Password := "fortinet" User-Service-Type = Login-User, Group = "group1", Fortinet-Group-Name = "group1"
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah what he said, the client only sends the NAS_ID user and the encrypted hashed based on secret. You will need to publish in your radius the other attributes.
10:11:30.014958 IP (tos 0x0, ttl 62, id 59575, offset 0, flags [none], proto UDP (17), length 88) x.x.x.x.1043 > 10.2.1.7.1812: [udp sum ok] RADIUS, length: 60 Access Request (1), id: 0x00, Authenticator: 6e9223245dc594207be6c3407c1c49ce NAS ID Attribute (32), length: 8, Value: HOTEL01 0x0000: 4745 5445 5341 Username Attribute (1), length: 14, Value: kfelixsslvpn 0x0000: 6b66 656c 6978 7373 6c76 706e Password Attribute (2), length: 18, Value: 0x0000: ae28 1a68 3263 8358 0934 e71d a1d4 5bf7
I don't know what the check book "enable groups" does on the fortigtate remote authentication but you might want to play around with it.
Hint: If you have a radtest utility on teh radius server, you could probably conduct a radius submittal and see debug the radius server before you pull in the fortigate
btw: here's a snapshot of radtest against a radius service to validate the attribute;
RAD01: RAD01: radtest testing password localhost 0 testing123 Sending Access-Request of id 8 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "password" NAS-IP-Address = 10.200.41.55 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=8, length=42 Service-Type = Login-User Fortinet-Group-Name = "SSLVPNSA" RAD01:
It was done locally before the fortinet_client hope that helps.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
.. and if you would combine that RADIUS output showing radtest properly populating Fortinet_Group_Name with bellow config, then any user on RADIUS server who present that string ("SSLVPNSA" , and I assume that just selected users will do so) will pass and will be seen as member of the "GRP_RADIUS-1" on FGT
config user group
edit "GRP_RADIUS-1" set member "RADIUS-SERVER.11" config match edit 1 set server-name "RADIUS-SERVER.11" set group-name "SSLVPNSA" next end next
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NAS Client, in this case FortiGate does not send Fortinet-Group-Name, never! It expect that AVP being provided by NAS server (RADIUS server) in Access-Accept (if user pass authentication).
And then FortiGate compare string-by-string what is in group match config and what he got from RADIUS server. If it matches perfectly (100% match) then the user is considered as member of that group, otherwise he isn't.
"Include in every user group" option is another story.
In CLI it's "set all-usergroup Enable/disable automatically include this RADIUS server to all user groups."
So if used then this RADIUS server is silently used in every possible user group. It is not even listed as member of the group. Handful when you want to add single RADIUS server into too many groups and you know the consequences. Usually it makes more troubles and questions like "why the user passed auth when he is not on member list?".
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the clarity. Like I said I never seen any string per-se for the group from the NAS client. You can run the server in a debug and see that and confirm.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, after some time I've managed to set up RADIUS on Synology device. Very simple and short setup in fact.
There are some non standard config files but generally it is still FreeRAIUS server, inside file located at:
/usr/local/synoradius/rad_users, I have:
DEFAULT Auth-Type = System, Group-Name == "MyGroup"
Fortinet-Group-Name = "MyGroup"
It works as I expected.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortigate Firewall BGP received routes not... 446 Views
- Fortideceptor sso attibutes 202 Views
- WiFi e LAN authentication using certificate... 658 Views
- Disable Policy and Change Note 294 Views
- Trying to get Google Workspace to... 342 Views
Labels
-
FortiGate
7,123 -
FortiClient
1,405 -
5.2
801 -
5.4
639 -
FortiManager
616 -
FortiAnalyzer
453 -
6.0
416 -
FortiAP
373 -
FortiSwitch
369 -
5.6
362 -
FortiClient EMS
290 -
FortiMail
280 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
6.4
128 -
FortiNAC
126 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
101 -
FortiGateCloud
95 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
72 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiExtender
34 -
FortiSandbox
33 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
LDAP
18 -
Interface
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
Routing
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
RADIUS
12 -
NAT
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSL SSH inspection
10 -
SSO
10 -
FortiRecorder
10 -
Application control
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
OSPF
7 -
Web application firewall profile
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
IPS signature
5 -
Packet capture
5 -
Automation
5 -
DNS Filter
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiCache
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Web rating
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Fortinet Engage Partner Program
3 -
Traffic shaping profile
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1059 | |
| 882 | |
| 523 | |
| 441 | |
| 147 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.