Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
suthomas1
New Contributor

Created on ‎01-21-2019 05:51 AM

remote access

All,

In setting up a fortigate unit for remote users to access local lan of our enterprise, 3 vdom has been used with vdoms serving 3 causes - vpn termination, secure vdom & root. vpn vdom has virtual links created to vpn vdom & secure vdom. Question is:-

1) for users authentication with radius, will it be using vpn vdom or root vdom? 2) If vpn vdom , how will the routes be towards the inside to reach authentication server?

please help. thank you.

Suthomas
Suthomas
26186
0 Kudos
7 Solutions
Toshi_Esumi
SuperUser
SuperUser

Created on ‎01-21-2019 09:17 AM

RADIUS server is configured at each vdom. The other vdoms don't know or don't care what is the RAIUS IP another vdom has. The vpn vdom needs to have a route to get to the RADIUS server you configured regardless if it's over the internet or internal interface. If the internal interface is not attached to the vdom but attached to another vdom, you need to have a vdom-link then a route toward the vdom that has the internal interface.

View solution in original post

6679
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to suthomas1

Created on ‎01-21-2019 08:51 PM

There are different ways to set up MGMT interface(s), like below cookbook for 6.0 or in another thread in the past. Regardless, if management access is limited to one vdom or allowing global access is decided by "account profile" of admin config ("set scope" in the profile it's referring to) of the admin user, not by the interface. 

https://cookbook.fortinet.com/vdom-configuration-60/

 

https://forum.fortinet.com/tm.aspx?m=148995

 

View solution in original post

6679
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to suthomas1

Created on ‎01-22-2019 08:06 AM

If the MGMT interface belongs to root vdom and a RADIUS that authenticate admin users is reachable only from "secure" vdom, there needs to be a set of vdom_link, routes and policies at both vdoms obviously, just like connecting two routers/FWs together and both sides are connected at each router/FW.

If you move the MGMT interface to "secure" vdom, all happens inside one vdom and you can eliminate most of above.

 

View solution in original post

6679
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to suthomas1

Created on ‎01-24-2019 09:33 PM

If the "mgmt" interface is referred at somewhere, you might not see the vdom changeable at the GUI in the cookbook I posted before. You have to remove all references first including policy, static routes, etc.

If you want to move RADIUS config to root, you need to move the current interface in "secure vdom" connecting to the RADIUS to root vdom as well. Otherwise you have to set all routes and policies at two vdoms over a vdom_link.

It's simple and easy. I wouldn't move what you have now and I would just set up routing over vdom_link.

View solution in original post

6679
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to suthomas1

Created on ‎01-24-2019 11:52 PM

Supposed to be the admin user name and password you want to authenticate with. However, GUI version of "test connectivity" doesn't actually show pass or fail of the user name/pass. If something comes back from RADIUS it would show "success" so not much better than just pinging the server from the outgoing interface. In other words, you can put a bogus username/password.

If you really want to "test RADIUS", you have to use a CLI:

# diag test authserver radius <server_name> pap "<user_name>" "<password>"

 

View solution in original post

6679
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to suthomas1

Created on ‎01-27-2019 08:53 PM

At the RADIUS. From RADIUS view the FortiGate is one of NAS. You must have configured NAS(clients.conf) file. The user/pass are in users file.

View solution in original post

6680
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to suthomas1

Created on ‎01-28-2019 04:28 PM

Windows AD itself is not a RADIUS server but LDAP, unless you've set up Windows NPS as RADIUS as described below, or other way possible on Windows server.

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top

But I'm not an expert for LDAP or Win NPS. So please ask somebody else for the detail if you can't easily find the same conversions on the forum or on the internet. There must be a lot of them available.

View solution in original post

6680
0 Kudos
17 REPLIES 17
suthomas1
New Contributor
In response to Toshi_Esumi

Created on ‎01-24-2019 10:21 PM

Thanks again.

In "test connectivity" option for radius it asks for a username & password. does that username & password have to be on radius server , i assumed only server secret is the one defined on radius server?

Suthomas
Suthomas
2540
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to suthomas1

Created on ‎01-24-2019 11:52 PM

Supposed to be the admin user name and password you want to authenticate with. However, GUI version of "test connectivity" doesn't actually show pass or fail of the user name/pass. If something comes back from RADIUS it would show "success" so not much better than just pinging the server from the outgoing interface. In other words, you can put a bogus username/password.

If you really want to "test RADIUS", you have to use a CLI:

# diag test authserver radius <server_name> pap "<user_name>" "<password>"

 

6680
0 Kudos
suthomas1
New Contributor
In response to Toshi_Esumi

Created on ‎01-26-2019 05:31 AM

Thanks again.

sorry , but where should that admin username & password be defined to use this test connectivity feature.

the connectivity server is radius server in this case. I have created a entry on the radius which recognises this fortigate's IP address & have specified a shared secret between them.

am i missing something?

 

Suthomas
Suthomas
2540
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to suthomas1

Created on ‎01-27-2019 08:53 PM

At the RADIUS. From RADIUS view the FortiGate is one of NAS. You must have configured NAS(clients.conf) file. The user/pass are in users file.

6681
0 Kudos
suthomas1
New Contributor
In response to Toshi_Esumi

Created on ‎01-28-2019 04:16 PM

there is a user group in our AD which is "chemical engg unit". we want this user group to remote in using vpn client & then successfully get authenticated with Active directory. Is there any specific configuration required on the AD itself to recognise firewall trying to access it for this user mapping purpose?

 

 

Suthomas
Suthomas
2540
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to suthomas1

Created on ‎01-28-2019 04:28 PM

Windows AD itself is not a RADIUS server but LDAP, unless you've set up Windows NPS as RADIUS as described below, or other way possible on Windows server.

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top

But I'm not an expert for LDAP or Win NPS. So please ask somebody else for the detail if you can't easily find the same conversions on the forum or on the internet. There must be a lot of them available.

6681
0 Kudos
suthomas1
New Contributor
In response to Toshi_Esumi

Created on ‎01-28-2019 07:19 PM

Thank you.

another question, which interface does the remote access users vpn request via forticlient come in?

Is it on the usual internet facing link or is there a separate interface that does this job (either created by us or by fortigate unit itself). we came across a blog where there was an incoming interface "vpn" and outgoing interface as "wan". Just trying to understand this.

(in our case , its only one internet interface & we believe that will be incoming interface where remote users will come in from).

 

Please help.

 

Suthomas
Suthomas
2540
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to suthomas1

Created on ‎01-29-2019 08:41 AM

You answered your question yourself. If you traceroute from the internet toward the server IP of the VPN you would see how it gets to the public IP. FGT won't (be able to) generate any publicly accessible IP by itself. You must have configured.

2540
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.