Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
theglossy1
New Contributor

Multiple RADIUS Clients

We are wanting to add about 75 devices for RADIUS authentication to the FortiAuthenticator. I want to use password-only authentication, use a particular realm, and apply a group filter to that realm. I don't want to have to do those steps for each device I import. I can see two possibilities that would be better, but they would both require some changes to the programming of the FortiAuthenticator:

[ul]
  • Instead of Client name/IP, you put in a subnet instead (e.g., 10.11.20.0/24).
  • You could allow for more fields on the CSV import file that define things like auth_type,realm,group_filter[/ul]

    But I don't want to wait for some future version of code. Is it possible to do the things I want without having to tweak every single device that gets imported?

     

    Thanks!

  • 1 Solution
    Carl_Windsor_FTNT

    You are correct, what is being requested is not currently supported.  CSV and API do not support setting to this level of granularity.  Please continue as suggested and submit your feature requests through your Fortinet rep.

     

    However......

     

    >Instead of Client name/IP, you put in a subnet instead (e.g., 10.11.20.0/24).

     

    This is already being considered for the 5.0 release.

    Dr. Carl Windsor Field Chief Technology Officer Fortinet

    View solution in original post

    12 REPLIES 12
    jimsokol
    New Contributor III

    I too, have this question, as I may have to perform this for several hundred units. I have not been able to determine if the REST API will allow for this.

    emnoc
    Esteemed Contributor III

    You can import for the clients, which might be what your looking for.

     

    ken

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    jimsokol
    New Contributor III

    CSV only allows for name, IP/host, and optionally, the secret. The task is to avoid to still have to edit to set other things like authentication method and realm (with filtering)

     

    ...jim

    emnoc
    Esteemed Contributor III

    Can't you script that? and map the device name and details in a CSV file & import the file.

     

    ken

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    jimsokol
    New Contributor III

    So how do we do that? All the info I have seen shows that only the three fields I mentioned (name, IP/host, and optionally, the secret) are supported in the CSV.

     

    ...jim

    theglossy1

    What do you mean, "script that"? As I stated in my OP and jimsokol reiterated, the ONLY FIELDS that the CSV accepts are name, IP/host, and optionally, the secret. If you don't know or you're just making wild guesses, please don't keep commenting. Thanks.

    emnoc
    Esteemed Contributor III

    Scripting means take the 75+ devices ( in your scenario ) and populate a CSV. It's not  guessing it's what the rest of the world does that uses FortiAUthentication does.

     

    If you don't know or you're just making wild guesses, please don't keep commenting. Thanks.

     

    WTFM b4 you start calling things out or calling out person that's trying to point you in the right direction. It's very clear as to "HOWTO"  and I believe you still have a cookbook that explain this also.

     

    You populate the name, address etc... What your asking about "ip range" is not a doable solution, they give you the doable by crafting a CSV. Once again WTFM.

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    jimsokol
    New Contributor III

    No offense intended by me. My issue is not with writing a script to generate a CSV with the three fields in it for all of my units, it is with having to edit each client after the fact to set the auth method and realm with proper filtering. The doc for the REST API does not appear to list those items as configurable via that method either.

     

    ...jim

    theglossy1

    I give up. Continuing in this particular thread will accomplish nothing, so I'll go through our Fortinet rep and perhaps they can do one or more of the following to address the situation...

    [ul]
  • Build a more complete CSV solution,
  • add subnet range support, or
  • allow profiles that can be used for multiple RADIUS clients...[/ul]

    ... in the next version of FortiAuthenticator code. Jim, I'll keep you posted if anything happens.

    Cheers

  • Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors