Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- FreeRADIUS using Fortinet-Group-Name attribute
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FreeRADIUS using Fortinet-Group-Name attribute
Hello,
I want to configure SSL VPN authentication using FreeRADIUS, but I want only users belonging to specific group to have access to the network. Users and groups are stored on FreeRADIUS host as a local linux users and groups. How FreeRADIUS user config file should look like to achieve this?
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate is sending Access-Request with user name and password and in exchange expect either Access-Reject (user authentication failed) or Access-Accept (user is OK). If you have a group match set to something but "any" then FortiGate does string comparison of configured towards Fortinet-Group-Name AVP which should be provided by RADIUS server inside Access-Accept. Note that it is simple string comparison, and the group string sent by RADIUS server might not have any relevance to actual user groups on the server itself.
Simple FreeRADIUS config example (user=grptest, password=fortinet, memberOf=group1):
---
grptest Cleartext-Password := "fortinet" User-Service-Type = Login-User, Group = "group1", Fortinet-Group-Name = "group1"
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to look at the "Fortinet-Group-Name" attribute not 100% sure how the radius conf or user db would look like. But what I would do is to run the freeradius daemon in dbeug mode and see what attribute is being sent by the NAS client ( FGT ) and then research the freeradius forums for examples
I think you can debug this from the fortigate also.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate is sending Access-Request with user name and password and in exchange expect either Access-Reject (user authentication failed) or Access-Accept (user is OK). If you have a group match set to something but "any" then FortiGate does string comparison of configured towards Fortinet-Group-Name AVP which should be provided by RADIUS server inside Access-Accept. Note that it is simple string comparison, and the group string sent by RADIUS server might not have any relevance to actual user groups on the server itself.
Simple FreeRADIUS config example (user=grptest, password=fortinet, memberOf=group1):
---
grptest Cleartext-Password := "fortinet" User-Service-Type = Login-User, Group = "group1", Fortinet-Group-Name = "group1"
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah what he said, the client only sends the NAS_ID user and the encrypted hashed based on secret. You will need to publish in your radius the other attributes.
10:11:30.014958 IP (tos 0x0, ttl 62, id 59575, offset 0, flags [none], proto UDP (17), length 88) x.x.x.x.1043 > 10.2.1.7.1812: [udp sum ok] RADIUS, length: 60 Access Request (1), id: 0x00, Authenticator: 6e9223245dc594207be6c3407c1c49ce NAS ID Attribute (32), length: 8, Value: HOTEL01 0x0000: 4745 5445 5341 Username Attribute (1), length: 14, Value: kfelixsslvpn 0x0000: 6b66 656c 6978 7373 6c76 706e Password Attribute (2), length: 18, Value: 0x0000: ae28 1a68 3263 8358 0934 e71d a1d4 5bf7
I don't know what the check book "enable groups" does on the fortigtate remote authentication but you might want to play around with it.
Hint: If you have a radtest utility on teh radius server, you could probably conduct a radius submittal and see debug the radius server before you pull in the fortigate
btw: here's a snapshot of radtest against a radius service to validate the attribute;
RAD01: RAD01: radtest testing password localhost 0 testing123 Sending Access-Request of id 8 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "password" NAS-IP-Address = 10.200.41.55 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=8, length=42 Service-Type = Login-User Fortinet-Group-Name = "SSLVPNSA" RAD01:
It was done locally before the fortinet_client hope that helps.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
.. and if you would combine that RADIUS output showing radtest properly populating Fortinet_Group_Name with bellow config, then any user on RADIUS server who present that string ("SSLVPNSA" , and I assume that just selected users will do so) will pass and will be seen as member of the "GRP_RADIUS-1" on FGT
config user group
edit "GRP_RADIUS-1" set member "RADIUS-SERVER.11" config match edit 1 set server-name "RADIUS-SERVER.11" set group-name "SSLVPNSA" next end next
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NAS Client, in this case FortiGate does not send Fortinet-Group-Name, never! It expect that AVP being provided by NAS server (RADIUS server) in Access-Accept (if user pass authentication).
And then FortiGate compare string-by-string what is in group match config and what he got from RADIUS server. If it matches perfectly (100% match) then the user is considered as member of that group, otherwise he isn't.
"Include in every user group" option is another story.
In CLI it's "set all-usergroup Enable/disable automatically include this RADIUS server to all user groups."
So if used then this RADIUS server is silently used in every possible user group. It is not even listed as member of the group. Handful when you want to add single RADIUS server into too many groups and you know the consequences. Usually it makes more troubles and questions like "why the user passed auth when he is not on member list?".
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the clarity. Like I said I never seen any string per-se for the group from the NAS client. You can run the server in a debug and see that and confirm.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, after some time I've managed to set up RADIUS on Synology device. Very simple and short setup in fact.
There are some non standard config files but generally it is still FreeRAIUS server, inside file located at:
/usr/local/synoradius/rad_users, I have:
DEFAULT Auth-Type = System, Group-Name == "MyGroup"
Fortinet-Group-Name = "MyGroup"
It works as I expected.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,685 -
FortiClient
1,756 -
5.2
801 -
FortiManager
727 -
5.4
639 -
FortiAnalyzer
556 -
FortiSwitch
474 -
FortiAP
471 -
FortiClient EMS
429 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
244 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
188 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiGateCloud
102 -
FortiAuthenticator
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
91 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
Certificate
34 -
RADIUS
33 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1710 | |
| 1093 | |
| 752 | |
| 446 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.