Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gianluca_Bona
New Contributor

Created on ‎03-27-2015 05:28 AM

how configure NPS to authenticate FortiGate Administrators

Hi all,

I face an issue never occurred before..

I configured radius server (Windows 2008R2 NPS) to athenticate administrators of a Fortigate (release 5.0.11).

In Microsoft eventviewer I see the user that have been granted access, but, in FortiGate log, the user access is refused due to "incorrect password"..

there are some special tricks to be configured?

any required Vendor-specifica attributes to be configured on NPS?

many thanks!

 

Gianluca

10092
0 Kudos
5 REPLIES 5
rwpatterson
Valued Contributor III

Created on ‎03-27-2015 06:16 AM

You need to use LDAP for [strike]admin[/strike] (should have read SSL VPN) users. With NPM, you need to be authenticated before permission is granted. This is primarily used for AD group filtering for Internet access.

 

Edited for incorrect content. -rp

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
2914
0 Kudos
Gianluca_Bona
New Contributor
In response to rwpatterson

Created on ‎03-27-2015 06:33 AM

So I'll remove Radius and I'll configure LDAP servers in Fortigate..

It was the last chance in my mind..

by the way it was strange that Radius cannot be used for authenticate administrators.

Thank you very much!

Gianluca

2914
0 Kudos
xsilver_FTNT
Staff
Staff

Created on ‎03-30-2015 02:38 AM

RADIUS can be used for admin users as well as LDAP and TACACS+ .. even for wildcard admin users (1:N) so one admin account on FGT for many matching ones on RADIUS server. I would suggest check KB for "radius admin" or "radius wildcard", very first hits/technotes will give you idea.

 

Usual caveats are:

- radius server configured on FGT is used for admins and users or even "use in all groups" is turned on, I'd suggest to make dedicated RADIUS server config and firewall user group just for admin authentication

- group match is set but RADIUS server do not return set string in Fortinet-Group-Name AVP, and therefore group match fail

 

Another possibility is to open a ticket on support site and attach

- network diagram

- config backup

- RADIUS sniffer (I assume default ports are used so something like CLI output from .. diag sniffer packet any 'port 1812' 6 0 a )

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

2914
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎03-30-2015 06:51 AM

I agreed with all that's been posted and suggest to use a radtest client b4 t-shooting issues within the fortigate. You can manipulate all client side attribute and debug issues.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2914
0 Kudos
rwpatterson
Valued Contributor III
In response to emnoc

Created on ‎03-30-2015 11:58 AM

Dangit! Been out of the loop too long. Confusing admin login with SSL VPN login....

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
2914
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.