I see this has been added in 7.4, which is a good thing, but it is somehow very limited.
UPDATE: correct link is: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/471933
I would need a little more flexibility concerning the certificate attributes to pass on to Radius.
Why can't I just freely choose any free-text attribute present in the cert? Are there maybe some hidden/CLI commands?
Authentication would be the fact that the user has presented a trusted client cert (issued from one of the installed CAs).
Authorization would come from the Radius server, i.e. the user group / portal to use depends on some attribute from the cert sent to and evaluated by Radius.
Hello jammac,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Does your radius pull your user creds from your windows AD LDAP? If so, you can use your radius as an authentication proxy like you would with FAC. You'll need to make your Fortigate a radius client, then it will proxy authentication requests to ldap. See option 3 here https://vidmate.bid/
Subject value matching is actually more tricky than it seems.
It's not possible to truly filter it as free-form text because the Subject value isn't just plain text. It's a chain of ASN.1 encoded TLV (type-length-value) pairs. And each type is is not represented by a simple string such as "CN", but with an OID ("2.5.4.3" for CN). So in order for the FortiGate to be able to filter it, it needs to know it (how it translates to an OID).
With that said, the most common elements are supported (CN, O, OU, DC,.. maybe more?). Is there anything specific in mind that you're missing?
Lastly, while the doc doesn't show it, you can filter for multiple elements, e.g. set subject "CN=John Doe, OU=MyDepartment, O=MyCompany".
Created on 04-25-2024 06:05 AM Edited on 04-25-2024 06:07 AM
Sure but the problem is sending the info to radius
config user radius edit <name> set account-key-processing {same | strip} set account-key-cert-field {othername | rfc822name | dnsname} <----- not many options next end
Also it requires adding a local user.... it would be best if it would just take the cert and forward certain attributes to radius for authn/authz.
I'm honestly confused what a realistic real-world usage of this would be. All RADIUS servers I have ever encountered have required a valid password, and I am not quite sure how the FortiGate is supposed to fabulate one here.
I think you'd be better of either using existing and well-tested cert+LDAP integrations (~authenticate with a client-cert, get groups via LDAP, using SAN content as user identity in LDAP lookups).
Or go fully RADIUS with EAP-TLS. (limited number of features that support this: IPsec IKEv2, wifi-auth, switch 802.1x)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1751 | |
1114 | |
766 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.