Technical Tip: Remote admin login with Radius selecting admin access account profile

1. Configure the FortiGate with the Radius server.
   

Go to User & Device -> Authentication -> Radius Server.

Name: FGT-Radius
Primary Server IP/Name: 10.10.10.10
Primary Server Secret: radius_secret

Or run the equivalent in the CLI:

config user radius
    edit "FGT-Radius"
        set server 10.10.10.10
        set secret radius_secret
    next
end

Note.

Can optionally set a source IP address for the FortiGate to use when contacting the Radius server by using the following commands:

config user radius
    edit "FGT-Radius"
        set source-ip 192.168.1.99
    next
end

2. Configure the RADIUS server to send the appropriate vendor-specific attributes (VSAs).

   Verify that the RADIUS server is configured to send down the appropriate vendor-specific attributes (VSA). 

   In order to send an appropriate group membership and access profile VSA 1 and VSA 6 will need to be set.

    

   VENDOR fortinet 12356
   ATTRIBUTE Fortinet-Group-Name       1   string
   ATTRIBUTE Fortinet-Access-Profile   6   string

    

   In this example:

    

   Attribute 1 is set to Firewall_Admins.
   Attribute 6 is set to Radius_User_Access.

    

   A list of all of Fortinet's VSA is available here.
   

    

   

    

   

    

    

3. Create a user group on FortiGate.
   

    

   Go to User & Device -> User -> User group and create a Firewall group. 

   Create New Remote Server and add the Radius Server. 

   In the group's field, include the string that was configured as Attribute 1 on the RADIUS server. 
   In this example, the string used was 'Firewall_Admins'.
   
   Name: Radius_group
   Remote group:
   Remote Server: FGT-Radius
   Groups: Firewall_Admins

    

   

    

   

    

    

4. Create two admin profiles.

   Go to System -> Admin -> Admin Profiles and create 2 profiles:
   
   First profile.

   
   Profile Name: no_access
   Access Control: None

    

   
   
   

    

   Second profile.

   
   Profile Name: Radius_User_Access (note that the name of the profile needs to match which is specified for VSA 6).

   
   Access Control: Specify the desired permissions.

    

   

    

5. Create an admin user.

   • Go to System -> Admin -> Admin -> Administrators.

   • Create a new admin with the type Remote.

   • Select the User Group.

   • Select type wildcard.

   • Select the no_access profile .

Then in the CLI run the following in order to allow the profile passed down by the radius server to override the current no_access profile:

config system admin
     edit Radius_Admins
     set accprofile-override enable
end

 

6. Log into FortiGate using the new RADIUS user.

    

   

    

   

    

7. Troubleshooting steps if it is not working as expected.

    

   If appropriate permissions is not received, run the following commands in the CLI:
   

    

   diag debug app fnbamd -1
   diag debug app radius -1
   diag debug enable
   diag test authserver radius <server_name> <chap | pap | mschap | mschap2> <username> <password>

   
   A successful output will appear as follows:

    

   [1932] handle_req-Rcvd auth req 7658224 for radius_admins in Radius_group opt=00014001 prot=11
   [424] __compose_group_list_from_req-Group 'Radius_group', type 1
   [617] fnbamd_pop3_start-radius_admins
   [336] fnbamd_create_radius_socket-Opened radius socket 16
   [336] fnbamd_create_radius_socket-Opened radius socket 17
   [1372] fnbamd_radius_auth_send-Compose RADIUS request
   [1332] fnbamd_rad_dns_cb-10.0.0.1->10.0.0.1
   [1310] __fnbamd_rad_send-Sent radius req to server 'FGT-Radius': fd=16, IP=10.0.0.1(10.0.0.1:1812) code=1 id=113 len=125 user="radius_admins" using PAP
   [313] radius_server_auth-Timer of rad 'FGT-Radius' is added
   [743] auth_tac_plus_start-Didn't find tac_plus servers (0)
   [481] ldap_start-Didn't find ldap servers
   [591] create_auth_session-Total 1 server(s) to try
   [1381] fnbamd_auth_handle_radius_result-Timer of rad 'FGT-Radius' is deleted
   [1772] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
   [354] extract_success_vsas-FORTINET attr, type 6, val Radius_User_Access
   [320] extract_success_vsas-FORTINET attr, type 1, val Firewall_Admins
   [1407] fnbamd_auth_handle_radius_result-->Result for radius svr 'FGT-Radius' 10.0.0.1(1) is 0
   [1331] fnbamd_radius_group_match-Passed group matching
   [1059] find_matched_usr_grps-Group 'Radius_group' passed group matching
   [1060] find_matched_usr_grps-Add matched group 'Radius_group'(10)
   [217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 7658224, len=2061
   [747] destroy_auth_session-delete session 7658224
   [2446] handle_req-Rcvd 7 req
   [308] fnbamd_acct_start_START-Error getting radius server
   [1469] create_acct_session-Error start acct type 7
   [2460] handle_req-Error creating acct session 7
   
   

   diag test authserver radius FGT-Radius pap radius_admins P@ssword123

   authenticate 'radius_admins' against 'pap' succeeded, server=primary assigned_rad_session_id=7658226 assigned_admin_profile=Radius_User_Access session_timeout=0 secs idle_timeout=0 secs!
   Group membership(s) - Firewall_Admins
   
   

Related articles:

Technical Tip: Fortinet RADIUS attribute.

Technical Tip: FortiGate Radius VSA Dictionary (vendor-specific attributes).