Multiple RADIUS Clients

theglossy1 · ‎03-24-2016

We are wanting to add about 75 devices for RADIUS authentication to the FortiAuthenticator. I want to use password-only authentication, use a particular realm, and apply a group filter to that realm. I don't want to have to do those steps for each device I import. I can see two possibilities that would be better, but they would both require some changes to the programming of the FortiAuthenticator:

[ul]

Instead of Client name/IP, you put in a subnet instead (e.g., 10.11.20.0/24).

You could allow for more fields on the CSV import file that define things like auth_type,realm,group_filter[/ul]

But I don't want to wait for some future version of code. Is it possible to do the things I want without having to tweak every single device that gets imported?

Thanks!

Carl_Windsor_FTNT · ‎03-29-2016

You are correct, what is being requested is not currently supported. CSV and API do not support setting to this level of granularity. Please continue as suggested and submit your feature requests through your Fortinet rep.

However......

>Instead of Client name/IP, you put in a subnet instead (e.g., 10.11.20.0/24).

This is already being considered for the 5.0 release.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

View solution in original post

jimsokol · ‎03-25-2016

I too, have this question, as I may have to perform this for several hundred units. I have not been able to determine if the REST API will allow for this.

emnoc · ‎03-25-2016

You can import for the clients, which might be what your looking for.

ken

PCNSE

NSE

StrongSwan

jimsokol · ‎03-25-2016

CSV only allows for name, IP/host, and optionally, the secret. The task is to avoid to still have to edit to set other things like authentication method and realm (with filtering)

...jim

emnoc · ‎03-25-2016

Can't you script that? and map the device name and details in a CSV file & import the file.

ken

PCNSE

NSE

StrongSwan

jimsokol · ‎03-25-2016

So how do we do that? All the info I have seen shows that only the three fields I mentioned (name, IP/host, and optionally, the secret) are supported in the CSV.

...jim

theglossy1 · ‎03-25-2016

What do you mean, "script that"? As I stated in my OP and jimsokol reiterated, the ONLY FIELDS that the CSV accepts are name, IP/host, and optionally, the secret. If you don't know or you're just making wild guesses, please don't keep commenting. Thanks.

emnoc · ‎03-25-2016

Scripting means take the 75+ devices ( in your scenario ) and populate a CSV. It's not guessing it's what the rest of the world does that uses FortiAUthentication does.

If you don't know or you're just making wild guesses, please don't keep commenting. Thanks.

WTFM b4 you start calling things out or calling out person that's trying to point you in the right direction. It's very clear as to "HOWTO" and I believe you still have a cookbook that explain this also.

You populate the name, address etc... What your asking about "ip range" is not a doable solution, they give you the doable by crafting a CSV. Once again WTFM.

PCNSE

NSE

StrongSwan

jimsokol · ‎03-25-2016

No offense intended by me. My issue is not with writing a script to generate a CSV with the three fields in it for all of my units, it is with having to edit each client after the fact to set the auth method and realm with proper filtering. The doc for the REST API does not appear to list those items as configurable via that method either.

...jim

theglossy1 · ‎03-25-2016

I give up. Continuing in this particular thread will accomplish nothing, so I'll go through our Fortinet rep and perhaps they can do one or more of the following to address the situation...

[ul]

Build a more complete CSV solution,

add subnet range support, or

allow profiles that can be used for multiple RADIUS clients...[/ul]

... in the next version of FortiAuthenticator code. Jim, I'll keep you posted if anything happens.

Cheers