Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Maerre
Contributor II

Created on ‎06-12-2025 03:36 AM

Ipsec vpn access with fortiauthenticator cloud, fortitoken cloud and EMS

Hello,

i need to configure a vpn ipsec access for a few users through the implementation of fortiauthenticator cloud, fortitoken cloud and EMS.
These users should be locally created on the fortiauthenticator cloud, associated with the fortitoken cloud and then, with the EMS, i need to check their compliance.
I've correclty deployed the ipsec vpn with local users just for test and it's working, now i need to use the FAC cloud, how can i create the users on it and let them visible in the authentication process?
I thought to add the FAC cloud as radius server but obviously it's doesn't have an ip being a saas solution.
Did anyone face a similar implementation?
The scope of this scenario is to let the users connect via vpn to the remote resources and when a new user needs to grant access it should only be added on Fac cloud with its fortitoken cloud.


Thank you
Regards

890
0 Kudos
10 REPLIES 10
rbraha
Staff
Staff

Created on ‎06-12-2025 05:43 AM

Hi @Maerre 

You can use FAC Cloud as radius server but you will need to use RadSec in this case , you can use FQDN of FAC Cloud , please check the guide below.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuration-of-FortiAuthenticator-Cloud/...

 

 

779
Maerre
Contributor II
In response to rbraha

Created on ‎06-12-2025 06:04 AM

Hi @rbraha,
thank you, i'm already working on the configuration, with this sentence:

 

Note: This communication will be over the internet and ensure that port 2083 is not blocked upstream of FortiGate or ISP.

how can i open the communication on the upstream firewall?

need to use the mgmt ip of the fortigate as source and the fqdn of fac cloud as destination?

 

Thank you

763
0 Kudos
Maerre
Contributor II
In response to rbraha

Created on ‎06-13-2025 12:28 AM

 

Hi @rbraha ,

this is the screen of my radsec radius:
Radsec.jpg

 

Do i need to specify something else?

Following the debug once clicked the "test connectivity" button:

 

fgt-a # diagnose debug app fnbamd -1
Debug messages will be on for 30 minutes.

fgt-a #
fgt-a # diagnose debug en

fgt-a #
fgt-a #
fgt-a #
fgt-a # [1757] handle_req-Rcvd auth req 32757934219266 for test01 in opt=0500000d prot=0 svc=7
[333] __compose_group_list_from_req-Group '', type 1
[508] create_auth_session-Session created for req id 32757934219266
[316] radius_start-eap_local=0
[896] fnbamd_cfg_get_radius_list-
[347] fnbamd_rad_new-gdf874rd.fortitrustid.forticloud.co
[140] __init_rad_setting-Preping auth servers.
[123] __rad_server_push-Inserted rad server 'gdf874rd.fortitrustid.forticloud.com'.
[357] fnbamd_rad_new-gdf874rd.fortitrustid.forticloud.co created
[918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
[936] fnbamd_rad_get_auth_server-
[1172] fnbamd_rad_auth_ctx_init-User ha_relay? 0.
[1754] fnbamd_create_ssl_ctx-SSL CTX is created.
[282] __rad_create_ssl_ctx-SSL CTX is created for rad server gdf874rd.fortitrustid.forticloud.co.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
[115] fnbamd_dns_resolv_ex-DNS req ipv4 0x23 'gdf874rd.fortitrustid.forticloud.com'
[125] fnbamd_dns_resolv_ex-DNS req ipv6 0x2023 'gdf874rd.fortitrustid.forticloud.com'
[137] fnbamd_dns_resolv_ex-DNS maintainer started.
[1200] fnbamd_rad_auth_ctx_init-Start rad conn timer.
[807] __rad_add_job_timer-
[439] fnbamd_cfg_get_pop3_list-
[417] __fnbamd_cfg_get_pop3_list_by_group-
[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
[434] start_remote_auth-Total 1 server(s) to try
[1900] handle_req-r=4
[247] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x23
[309] fnbamd_dns_parse_resp-req 0x23: 69.167.109.243
[1148] __fnbamd_rad_dns_cb-Resolved gdf874rd.fortitrustid.forticloud.co:gdf874rd.fortitrustid.forticloud.com to 69.167.109.243, cur stack size:-1
[1107] __auth_ctx_svr_push-Added addr 69.167.109.243:2083 from rad 'gdf874rd.fortitrustid.forticloud.co'
[930] __fnbamd_rad_get_next_addr-Next available address of rad 'gdf874rd.fortitrustid.forticloud.co': 69.167.109.243:2083.
[1125] __auth_ctx_start-Connection starts gdf874rd.fortitrustid.forticloud.co:gdf874rd.fortitrustid.forticloud.com, addr 69.167.109.243:2083 proto: TCP over TLS
[521] __rad_tcps_open-vfid 0, addr 69.167.109.243, src_ip , ssl_opt 1284, use_ha_relay 0
[1171] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 69.167.109.243:2083, source address is null, protocol number is 6, oif id is 0
[544] __rad_tcps_open-oif=0, intf_sel.mode=0, intf_sel.name=
[561] __rad_tcps_open-Server identity check is enabled.
[577] __rad_tcps_open-Still connecting 69.167.109.243.
[593] __rad_tcps_open-Start rad conn timer.
[945] __rad_conn_start-Socket 11 is created for rad 'gdf874rd.fortitrustid.forticloud.co'.
[247] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x2023
[35] __fnbamd_dns_req_del-DNS req 0x23 (0xe7b7428) is removed. Current total: 2
[47] __fnbamd_dns_req_del-DNS maintainer stopped.
[1148] __fnbamd_rad_dns_cb-Resolved gdf874rd.fortitrustid.forticloud.co:gdf874rd.fortitrustid.forticloud.com to ::, cur stack size:0
[1113] __auth_ctx_svr_push-Failed to add addr gdf874rd.fortitrustid.forticloud.com from rad 'gdf874rd.fortitrustid.forticloud.co'
[477] __rad_tcps_connect-tcps_connect(69.167.109.243) failed: ssl_connect() failed: 167772454 (error:0A000126:SSL routines::unexpected eof while reading).
[1028] __rad_error-Ret 5, st = 0.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
[1077] __rad_error-
[603] __rad_tcps_close-closed.
[964] __rad_conn_stop-Stop rad conn timer.
[1286] fnbamd_rad_process-Result from radius svr 'gdf874rd.fortitrustid.forticloud.co' is 5, req 32757934219266
[1485] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, State_Len: 0
[2802] fnbamd_rad_result-Error (5) for req 32757934219266
[239] fnbamd_comm_send_result-Sending result 5 (nid 0) for req 32757934219266, len=6688
[600] destroy_auth_session-delete session 32757934219266
[1347] fnbamd_rads_destroy-
[516] fnbamd_rad_auth_ctx_free-Freeing 'gdf874rd.fortitrustid.forticloud.co' ctx
[1219] fnbamd_rad_auth_ctx_uninit-
[969] __rad_stop-
[964] __rad_conn_stop-Stop rad conn timer.
[784] __rad_del_job_timer-
[364] fnbamd_rad_free-Freeing gdf874rd.fortitrustid.forticloud.co, ref:1
[41] __rad_server_free-Freeing gdf874rd.fortitrustid.forticloud.com, ref:2
[369] fnbamd_rad_free-Freed
[41] __rad_server_free-Freeing gdf874rd.fortitrustid.forticloud.com, ref:1
[519] fnbamd_rad_auth_ctx_free-
[1350] fnbamd_rads_destroy-
[1865] fnbamd_ldaps_destroy-
[1041] fnbamd_tacs_destroy-
[902] fnbamd_pop3s_destroy-
[1070] fnbamd_ext_idps_destroy-

704
0 Kudos
rbraha
Staff
Staff
In response to Maerre

Created on ‎06-13-2025 01:36 AM

Hi @Maerre 

On FAC Cloud enter Radius Client  in this format  select Range  and put  0.0.0.0~255.255.255.255, test connection again.

If it fails check Radius debug logs from FAC Cloud , https://<fac-ip>/debug select radius debug and see with which error is failing.

695
Maerre
Contributor II
In response to rbraha

Created on ‎06-13-2025 02:23 AM

@rbraha you are a legend!

I found that the radius client ip was not the ip i had configured, thought it should have been the management ip of the firewall but in the fac debug i saw the request is arriving from an ip that i don't recognize (and is not part of any of my fw configuration)....putting this ip as radius client, it's working:


Immagine 2025-06-13 112118.jpg

thank you again for your tips!
now i've to figured out how to associate the fortitoken cloud to user and setup the Ems

670
0 Kudos
Maerre
Contributor II

Created on ‎06-16-2025 02:26 AM

after correctly deploy RADSEC connection, if i want users to be authenticated through RADSEC service and token, where should i configure these users?
On Fortiauthenticator cloud or on fortigate itself?

609
0 Kudos
rbraha
Staff
Staff
In response to Maerre

Created on ‎06-16-2025 04:22 AM

Hi,

End users should reside in FortiAuthenticator Cloud side with Radius policies..., when creating user groups in FortiGate you should select remote radius server as FortiAuthenticator Cloud.

601
Maerre
Contributor II
In response to rbraha

Created on ‎06-16-2025 05:17 AM

Hi @rbraha,

thank you, i did it as you can see in the screen for the radius policy, i've also created the user group associated with the radius server referring to FortiAuthenticator Cloud.

The user need to be created on the fac under user management -> local user ?
And from this section can be configured all the settings to associate the fortitoken?
Another part i can't understand is how fortitoken cloud and fac cloud talk together to use the correct token.

 

radius_policy.jpgThank you

Regards

589
0 Kudos
rbraha
Staff
Staff
In response to Maerre

Created on ‎06-17-2025 06:42 AM

Hi,

Yes you can create local user in FAC Cloud and assign Fortitoken cloud to them , user will be listed in FTC portal with assigned user, you can scan QR and import in Fortitoken mobile application , l would say first make sure that tunnel is up without token ,then test it by assigning FTC to users.

546
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.