Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DaveCSuite
New Contributor

Trying to connect Fortigate to Radius Server (FortiAuth) over IPSec

I have an established IPSec tunnel with 1 host on each side. Windows AD is local (192.168.11.254) and FortiAuth is remote (1.0.0.231). I have good traffic and the Auth is able to import LDAP users and shows a valid connection.

 

I am trying to add the Forti 80CM as a Radius client and the test fails.  I ran ping and traceroute from the CLI on the firewall with no success. I ran sniffer and see there is nothing with the firewall IP in the output. 

 

Policy is wide open, source and destination are "all" and service is "all". No NAT, no security policies.

 

 Do I need to add the firewall to the VPN policy?

I have a feeling I'm missing something easy.

 

diagnose sniffer packet 'VPN AEWS Static' none 4 interfaces=[VPN AWS Static] filters=[none] 4.255542 VPN AWS Static -- 10.0.0.231.54034 -> 192.168.11.254.445: psh 3524084358 ack 1433518151 4.256254 VPN AWS Static -- 192.168.11.254.445 -> 10.0.0.231.54034: psh 1433518151 ack 3524084566 4.289899 VPN AWS Static -- 10.0.0.231.54034 -> 192.168.11.254.445: ack 1433518315 4.290021 VPN AWS Static -- 10.0.0.231.54034 -> 192.168.11.254.445: psh 3524084566 ack 1433518315

6 REPLIES 6
supportombm
New Contributor III

Hi,

i think the problem is whenever you configure something from GUI it always use the internal interfaces (such as lan and wan).

i had that problem with a remote LDAP server.

If you edit that Radius in the cli you should be able to se a source-ip

   set source-ip {string}   Source IP address for communications to the RADIUS server. size[63]

https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/918082/user-radius

 

let me know

DaveCSuite

Thanks, I'm not sure what IP to use as the source since I need it to go over the tunnel. I tried the WAN ip the tunnel is bound to without success. I wonder if I can use the name of the tunnel as a source? I'll give that a shot and reply.

DaveCSuite

I guess not;

 

amdhdqifw01 (AMD_FortiAuth) # set *server Primary RADIUS server CN domain name or IP address. *secret Pre-shared secret key used to access the primary RADIUS server. secondary-server {<name_str|ip_str>} secondary RADIUS CN domain name or IP. secondary-secret Secret key to access the secondary server. tertiary-server {<name_str|ip_str>} tertiary RADIUS CN domain name or IP. tertiary-secret Secret key to access the tertiary server. timeout Time in seconds between re-sending authentication requests. all-usergroup Enable/disable automatically including this RADIUS server in all user groups. use-management-vdom Enable/disable using management VDOM to send requests. nas-ip IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-S tation-ID attributes. acct-interim-interval Time in seconds between each accounting interim update message. radius-coa Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated. radius-port RADIUS service port number. h3c-compatibility Enable/disable compatibility with the H3C, a mechanism that performs security checking for au thentication. auth-type Authentication methods/protocols permitted for this RADIUS server. source-ip Source IP address for communications to the RADIUS server. username-case-sensitive Enable/disable case sensitive user names. class Class attribute name(s). password-renewal Enable/disable password renewal. password-encoding Password encoding. *rsso Enable/disable RADIUS based single sign on feature.

 

supportombm

try to the IP of the local side of the VPN,

Can you try to make a 2 host subnet in the VPN phase 2? Like one for AD and one for the source IP (?)

 

DaveCSuite

Awesome! Thank you. I changed the source IP to the LAN interface. I really appreciate your help.

supportombm

You are welcome!

Labels
Top Kudoed Authors