Hello everybody, I have a Fortinet VM-64 (version v5.4.7,build6446 ) to provide SSLVPN service. My customer provides a radius server for SSLVPN authentication. But their radius server can't response group information when doing authentication. So I create many account with radius on the VM-64, and mapping them with different group. But there is a problem with group mapping. When client use a account which exist in the radius server but doesn't exist in the VM-64 to login SSLVPN, it will login success and mapping to group for the first account in the account list. For example: ----------------- I have two account in the VM-64. AAA in radius is group-X (It's the first account in the list) BBB in radius is group-Y There are three account in the radius server.(Because the radius server is not only for SSLVPN) AAA BBB CCC When client use CCC to login SSLVPN, he will login success and mapping to group-X. ------------------- Because different group have different access control list, so it will be a issue in security. And it's strange to mapping a account which doesn't exist to a exist group. It look like a vulnerability or program logic error in the authentication? Could you kindly give me some suggestion to resolve it? Thanks a lot : )
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
to be honest I do not understand your config.
But if you do have SSLVPN bonded to firewall user group, which do contain (is bonded) to RADIUS server.
Then login of CCC is authenticated against the RADIUS, not against your local user on FGVM-64 (as there is no CCC user).
If you do mix local users and RADIUS bond in a single user group ...
config user group
edit "SOME-GROUP"
set member "AAA","BBB","RADIUS-SERVER"
.. then local users like AAA or BBB are checked first (so if there is AAA user on RADIUS-SERVER it will not be checked as local AAA user exist and local users has preference).
If there is no local user then anyone else will be passed and tried against RADIUS-SERVER .. and if server replies Access-Accept, then user is authenticated and allowed to pass through.
If you do want to drive group membership for SSL and divide users into groups according to their presence on RADIUS server, then check RADIUS group match feature of FortiOS (similar feature is for LDAP).
More on http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD36464
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
xsilver wrote:Hi,
to be honest I do not understand your config.
But if you do have SSLVPN bonded to firewall user group, which do contain (is bonded) to RADIUS server.
Then login of CCC is authenticated against the RADIUS, not against your local user on FGVM-64 (as there is no CCC user).
If you do mix local users and RADIUS bond in a single user group ...
config user group
edit "SOME-GROUP"
set member "AAA","BBB","RADIUS-SERVER"
.. then local users like AAA or BBB are checked first (so if there is AAA user on RADIUS-SERVER it will not be checked as local AAA user exist and local users has preference).
If there is no local user then anyone else will be passed and tried against RADIUS-SERVER .. and if server replies Access-Accept, then user is authenticated and allowed to pass through.
If you do want to drive group membership for SSL and divide users into groups according to their presence on RADIUS server, then check RADIUS group match feature of FortiOS (similar feature is for LDAP).
More on http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD36464
Thanks for reply,and sorry for not description my config.
In this situation,there is about 300 accounts on the radius, but just 50 accounts need SSLVPN.
And for some reason, the radius server admin can't divide accounts by whether it need SSLVPN or not on the radius server.
What I want to do is checking username and password by radius server, and mapping group by fortigate.
So I config it on the fortigate like what I do on the Juniper SSLVPN.
1.set a radius server
2.create some group
3.create many accounts with radius,and mapping them to group.
Is this config thinking not functional for fortigate?
Hi,
if RADIUS admin can add AVP Fortinet-Group-Name into some specific user accounts it would be enough to divide them by use of RADIUS group match.
If you are unable to convince RADIUS admin to change config, then what should work is:
config user radius edit "RADIUS-SERVER" set server "10.10.10.69" set secret SuperSecretPassword
next end
config user local edit "userrad-1" set type radius set radius-server "RADIUS-SERVER" next end
config user group edit "RADIUS-GRP" set member "userrad-1" "userrad-2"
next end
config vpn ssl settings
... other ssl settings you have
config authentication-rule edit 1 set groups "RADIUS-GRP" set portal "full-access" next end end
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi,thanks for your reply.
My config is set as your second solution.
But it will come out a problem.
For example:
I have create only 2 users and 2 groups like above.
config user local edit "userrad-1" set type radius set radius-server "RADIUS-SERVER" next end
config user local edit "userrad-2" set type radius set radius-server "RADIUS-SERVER" next end
config user group edit "RADIUS-GRP1" set member "userrad-1" next end
config user group edit "RADIUS-GRP2" set member "userrad-2" next end
But if there is userrad-3 on the radius server, Client can use userrad-3 to login SSLVPN, and be recognized as RADIUS-GRP1.
That makes it looks like a security issue....
Thanks for reply.
All other group can only web-access in my config.
But before that, the userrad-3 can login as RADIUS-GRP1.....
I don't have any config about userrad-3, so that I really don't what logic can fortigate do to let userrad-3 can login as RADIUS-GRP1.....
Hello , is there any solution for this situation?
Thanks: )
Ask for a radius that can sent group replies ?
Yes he can, but he can't set a sslvpn group for me.....
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.