Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
suthomas1
New Contributor

remote access

All,

In setting up a fortigate unit for remote users to access local lan of our enterprise, 3 vdom has been used with vdoms serving 3 causes - vpn termination, secure vdom & root. vpn vdom has virtual links created to vpn vdom & secure vdom. Question is:-

1) for users authentication with radius, will it be using vpn vdom or root vdom? 2) If vpn vdom , how will the routes be towards the inside to reach authentication server?

please help. thank you.

Suthomas
Suthomas
7 Solutions
Toshi_Esumi
SuperUser
SuperUser

RADIUS server is configured at each vdom. The other vdoms don't know or don't care what is the RAIUS IP another vdom has. The vpn vdom needs to have a route to get to the RADIUS server you configured regardless if it's over the internet or internal interface. If the internal interface is not attached to the vdom but attached to another vdom, you need to have a vdom-link then a route toward the vdom that has the internal interface.

View solution in original post

Toshi_Esumi

There are different ways to set up MGMT interface(s), like below cookbook for 6.0 or in another thread in the past. Regardless, if management access is limited to one vdom or allowing global access is decided by "account profile" of admin config ("set scope" in the profile it's referring to) of the admin user, not by the interface. 

https://cookbook.fortinet.com/vdom-configuration-60/

 

https://forum.fortinet.com/tm.aspx?m=148995

 

View solution in original post

Toshi_Esumi

If the MGMT interface belongs to root vdom and a RADIUS that authenticate admin users is reachable only from "secure" vdom, there needs to be a set of vdom_link, routes and policies at both vdoms obviously, just like connecting two routers/FWs together and both sides are connected at each router/FW.

If you move the MGMT interface to "secure" vdom, all happens inside one vdom and you can eliminate most of above.

 

View solution in original post

Toshi_Esumi

If the "mgmt" interface is referred at somewhere, you might not see the vdom changeable at the GUI in the cookbook I posted before. You have to remove all references first including policy, static routes, etc.

If you want to move RADIUS config to root, you need to move the current interface in "secure vdom" connecting to the RADIUS to root vdom as well. Otherwise you have to set all routes and policies at two vdoms over a vdom_link.

It's simple and easy. I wouldn't move what you have now and I would just set up routing over vdom_link.

View solution in original post

Toshi_Esumi

Supposed to be the admin user name and password you want to authenticate with. However, GUI version of "test connectivity" doesn't actually show pass or fail of the user name/pass. If something comes back from RADIUS it would show "success" so not much better than just pinging the server from the outgoing interface. In other words, you can put a bogus username/password.

If you really want to "test RADIUS", you have to use a CLI:

# diag test authserver radius <server_name> pap "<user_name>" "<password>"

 

View solution in original post

Toshi_Esumi

At the RADIUS. From RADIUS view the FortiGate is one of NAS. You must have configured NAS(clients.conf) file. The user/pass are in users file.

View solution in original post

Toshi_Esumi

Windows AD itself is not a RADIUS server but LDAP, unless you've set up Windows NPS as RADIUS as described below, or other way possible on Windows server.

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top

But I'm not an expert for LDAP or Win NPS. So please ask somebody else for the detail if you can't easily find the same conversions on the forum or on the internet. There must be a lot of them available.

View solution in original post

17 REPLIES 17
Toshi_Esumi
SuperUser
SuperUser

RADIUS server is configured at each vdom. The other vdoms don't know or don't care what is the RAIUS IP another vdom has. The vpn vdom needs to have a route to get to the RADIUS server you configured regardless if it's over the internet or internal interface. If the internal interface is not attached to the vdom but attached to another vdom, you need to have a vdom-link then a route toward the vdom that has the internal interface.

suthomas1

thanks for the response. if the route needs to be via management interface , does it matter if the management interface resides in root and not on the actual remote access termination vdom?

 

Suthomas
Suthomas
Toshi_Esumi

Do you mean "management interface" as an interface you use for management access, like https and ssh? If so, management access can be any interface at any vdom. As long as your admin privilege is "suer_admin"  you can hop around vdoms as well as global.

suthomas1

Yes, one of the interface that is labelled as management on the device itself.is that the case?

Suthomas
Suthomas
Toshi_Esumi

There are different ways to set up MGMT interface(s), like below cookbook for 6.0 or in another thread in the past. Regardless, if management access is limited to one vdom or allowing global access is decided by "account profile" of admin config ("set scope" in the profile it's referring to) of the admin user, not by the interface. 

https://cookbook.fortinet.com/vdom-configuration-60/

 

https://forum.fortinet.com/tm.aspx?m=148995

 

suthomas1

thanks, this particular client doesn't use seperate vdom for mgmt. Instead the dedicated mgmt port is utilised for mgmt purpose.

Do i need rules to allow traffic over vdom links? and will there be routing on both remote access, secure & root vdom for passing the request across to radius server.

This is how our client wants it.

 

Remote access vdom - secure vdom - (Network/radius)

 

secure vdom connects to secure portion of network from where radius is reachable.

so should the final routing be done from secure or root vdom?

 

Suthomas
Suthomas
Toshi_Esumi

If the MGMT interface belongs to root vdom and a RADIUS that authenticate admin users is reachable only from "secure" vdom, there needs to be a set of vdom_link, routes and policies at both vdoms obviously, just like connecting two routers/FWs together and both sides are connected at each router/FW.

If you move the MGMT interface to "secure" vdom, all happens inside one vdom and you can eliminate most of above.

 

suthomas1

how do you do that moving of mgmt interface to "secure vdom". i have tried but do not see the option of changing it.

Also, in "test connectivity" option for radius it asks for a username & password. does that username & password have to be on radius server , i assumed only server secret is the one defined on radius server? we are seeing "server unreachable error" when testing with dummy credential.

 

Please help. Thanks.

 

 

Suthomas
Suthomas
Toshi_Esumi

If the "mgmt" interface is referred at somewhere, you might not see the vdom changeable at the GUI in the cookbook I posted before. You have to remove all references first including policy, static routes, etc.

If you want to move RADIUS config to root, you need to move the current interface in "secure vdom" connecting to the RADIUS to root vdom as well. Otherwise you have to set all routes and policies at two vdoms over a vdom_link.

It's simple and easy. I wouldn't move what you have now and I would just set up routing over vdom_link.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors