Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Radius user group mapping problem
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Radius user group mapping problem
Hello everybody, I have a Fortinet VM-64 (version v5.4.7,build6446 ) to provide SSLVPN service. My customer provides a radius server for SSLVPN authentication. But their radius server can't response group information when doing authentication. So I create many account with radius on the VM-64, and mapping them with different group. But there is a problem with group mapping. When client use a account which exist in the radius server but doesn't exist in the VM-64 to login SSLVPN, it will login success and mapping to group for the first account in the account list. For example: ----------------- I have two account in the VM-64. AAA in radius is group-X (It's the first account in the list) BBB in radius is group-Y There are three account in the radius server.(Because the radius server is not only for SSLVPN) AAA BBB CCC When client use CCC to login SSLVPN, he will login success and mapping to group-X. ------------------- Because different group have different access control list, so it will be a issue in security. And it's strange to mapping a account which doesn't exist to a exist group. It look like a vulnerability or program logic error in the authentication? Could you kindly give me some suggestion to resolve it? Thanks a lot : )
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
to be honest I do not understand your config.
But if you do have SSLVPN bonded to firewall user group, which do contain (is bonded) to RADIUS server.
Then login of CCC is authenticated against the RADIUS, not against your local user on FGVM-64 (as there is no CCC user).
If you do mix local users and RADIUS bond in a single user group ...
config user group
edit "SOME-GROUP"
set member "AAA","BBB","RADIUS-SERVER"
.. then local users like AAA or BBB are checked first (so if there is AAA user on RADIUS-SERVER it will not be checked as local AAA user exist and local users has preference).
If there is no local user then anyone else will be passed and tried against RADIUS-SERVER .. and if server replies Access-Accept, then user is authenticated and allowed to pass through.
If you do want to drive group membership for SSL and divide users into groups according to their presence on RADIUS server, then check RADIUS group match feature of FortiOS (similar feature is for LDAP).
More on http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD36464
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
xsilver wrote:Hi,
to be honest I do not understand your config.
But if you do have SSLVPN bonded to firewall user group, which do contain (is bonded) to RADIUS server.
Then login of CCC is authenticated against the RADIUS, not against your local user on FGVM-64 (as there is no CCC user).
If you do mix local users and RADIUS bond in a single user group ...
config user group
edit "SOME-GROUP"
set member "AAA","BBB","RADIUS-SERVER"
.. then local users like AAA or BBB are checked first (so if there is AAA user on RADIUS-SERVER it will not be checked as local AAA user exist and local users has preference).
If there is no local user then anyone else will be passed and tried against RADIUS-SERVER .. and if server replies Access-Accept, then user is authenticated and allowed to pass through.
If you do want to drive group membership for SSL and divide users into groups according to their presence on RADIUS server, then check RADIUS group match feature of FortiOS (similar feature is for LDAP).
More on http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD36464
Thanks for reply,and sorry for not description my config.
In this situation,there is about 300 accounts on the radius, but just 50 accounts need SSLVPN.
And for some reason, the radius server admin can't divide accounts by whether it need SSLVPN or not on the radius server.
What I want to do is checking username and password by radius server, and mapping group by fortigate.
So I config it on the fortigate like what I do on the Juniper SSLVPN.
1.set a radius server
2.create some group
3.create many accounts with radius,and mapping them to group.
Is this config thinking not functional for fortigate?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
if RADIUS admin can add AVP Fortinet-Group-Name into some specific user accounts it would be enough to divide them by use of RADIUS group match.
If you are unable to convince RADIUS admin to change config, then what should work is:
config user radius edit "RADIUS-SERVER" set server "10.10.10.69" set secret SuperSecretPassword
next end
config user local edit "userrad-1" set type radius set radius-server "RADIUS-SERVER" next end
config user group edit "RADIUS-GRP" set member "userrad-1" "userrad-2"
next end
config vpn ssl settings
... other ssl settings you have
config authentication-rule edit 1 set groups "RADIUS-GRP" set portal "full-access" next end end
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,thanks for your reply.
My config is set as your second solution.
But it will come out a problem.
For example:
I have create only 2 users and 2 groups like above.
config user local edit "userrad-1" set type radius set radius-server "RADIUS-SERVER" next end
config user local edit "userrad-2" set type radius set radius-server "RADIUS-SERVER" next end
config user group edit "RADIUS-GRP1" set member "userrad-1" next end
config user group edit "RADIUS-GRP2" set member "userrad-2" next end
But if there is userrad-3 on the radius server, Client can use userrad-3 to login SSLVPN, and be recognized as RADIUS-GRP1.
That makes it looks like a security issue....
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for reply.
All other group can only web-access in my config.
But before that, the userrad-3 can login as RADIUS-GRP1.....
I don't have any config about userrad-3, so that I really don't what logic can fortigate do to let userrad-3 can login as RADIUS-GRP1.....
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello , is there any solution for this situation?
Thanks: )
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ask for a radius that can sent group replies ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes he can, but he can't set a sslvpn group for me.....
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- ForticlientVPN - Permission denied (-455) 694 Views
- FortiOS 7.6.0 Build3401 - RadSec TLS... 566 Views
- Radius connection does not work anymore... 968 Views
- external 2FA for ftgt ssl vpn 577 Views
- FortiNAC with Aruba 4100 Problem 455 Views
Labels
-
FortiGate
8,465 -
FortiClient
1,713 -
5.2
801 -
FortiManager
712 -
5.4
639 -
FortiAnalyzer
547 -
FortiAP
457 -
FortiSwitch
456 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
220 -
FortiWeb
199 -
5.0
196 -
IPsec
186 -
FortiNAC
176 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
44 -
FortiSandbox
43 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1660 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.