Hi all,
I face an issue never occurred before..
I configured radius server (Windows 2008R2 NPS) to athenticate administrators of a Fortigate (release 5.0.11).
In Microsoft eventviewer I see the user that have been granted access, but, in FortiGate log, the user access is refused due to "incorrect password"..
there are some special tricks to be configured?
any required Vendor-specifica attributes to be configured on NPS?
many thanks!
Gianluca
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You need to use LDAP for [strike]admin[/strike] (should have read SSL VPN) users. With NPM, you need to be authenticated before permission is granted. This is primarily used for AD group filtering for Internet access.
Edited for incorrect content. -rp
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
So I'll remove Radius and I'll configure LDAP servers in Fortigate..
It was the last chance in my mind..
by the way it was strange that Radius cannot be used for authenticate administrators.
Thank you very much!
Gianluca
RADIUS can be used for admin users as well as LDAP and TACACS+ .. even for wildcard admin users (1:N) so one admin account on FGT for many matching ones on RADIUS server. I would suggest check KB for "radius admin" or "radius wildcard", very first hits/technotes will give you idea.
Usual caveats are:
- radius server configured on FGT is used for admins and users or even "use in all groups" is turned on, I'd suggest to make dedicated RADIUS server config and firewall user group just for admin authentication
- group match is set but RADIUS server do not return set string in Fortinet-Group-Name AVP, and therefore group match fail
Another possibility is to open a ticket on support site and attach
- network diagram
- config backup
- RADIUS sniffer (I assume default ports are used so something like CLI output from .. diag sniffer packet any 'port 1812' 6 0 a )
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
I agreed with all that's been posted and suggest to use a radtest client b4 t-shooting issues within the fortigate. You can manipulate all client side attribute and debug issues.
PCNSE
NSE
StrongSwan
Dangit! Been out of the loop too long. Confusing admin login with SSL VPN login....
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.