matanaskovic
Staff
Staff

Description


This article will describes how to create an admin profile and have the radius server select the appropriate profile for a Radius user.

Solution

 

1) Configure the FortiGate with the Radius server.

Go to User & Device -> Authentication -> Radius Server.

 

 

Name: FGT-Radius
Primary Server IP/Name: 10.10.10.10
Primary Server Secret: radius_secret

 

Or run the equivalent in the CLI:

 

 

# config user radius
    edit "FGT-Radius"
        set server 10.10.10.10
        set secret radius_secret
    next
end

 

Anthony_E_0-1655717840859.png

 

Note.

Can optionally set a source IP address for the FortiGate to use when contacting the Radius server by using the following commands:

 

# config user radius
    edit "FGT-Radius"
        set source-ip 192.168.1.99
    next
end

 

 

2) Configure the RADIUS server to send the appropriate vendor specific attributes (VSAs).

Verify that the RADIUS server is configured to send down the appropriate vendor specific attributes (VSA). 

In order to send an appropriate group membership and access profile VSA 1 and VSA 6 will need to be set.

 

VENDOR fortinet 12356
ATTRIBUTE Fortinet-Group-Name       1   string
ATTRIBUTE Fortinet-Access-Profile   6   string

 

In this example:

 

Attribute 1 is set to Firewall_Admins.
Attribute 6 is set to Radius_User_Access.

 

A list of all of Fortinet's VSA's are available at here.

 


3) Create a user group on the FortiGate.

 

Go to User & Device -> User -> User group and create a Firewall group. 

Create New Remote Server and add the Radius Server. 

 

In the groups field, include the string that was configured as Attribute 1 on the RADIUS server. 
In this example, the string used was 'Firewall_Admins'.

Name: Radius_group
Remote group:
Remote Server: FGT-Radius
Groups: Firewall_Admins

 

 

 

4) Create two admin profiles.

Go to System -> Admin -> Admin Profiles and create 2 profiles:

First profile.


Profile Name: no_access
Access Control: None

 

 

Second profile.


Profile Name: Radius_User_Access (note that the name of the profile needs to match which is specified for VSA 6).


Access Control: Specify the desired permissions.

 

 

5) Create an admin user.

- Go to System -> Admin -> Admin -> Administrators.

- Create a new admin with type Remote.

- Select the User Group.

- Select type wildcard.

- Select the no_access profile .

 

Then in the CLI run the following in order to allow the profile passed down by the radius server to override the current no_access profile:

 

# config system admin
     edit Radius_Admins
     set accprofile-override enable
end

 

 

6) Log into the FortiGate using the new RADIUS user.

 


7) Troubleshooting steps if it is not working as expected.

 

If appropriate permissions is not received, run the following commands in the CLI:

 

# diag debug app fnbamd -1
# diag debug app radius -1
# diag debug enable
# diag test authserver radius <server_name> <chap | pap | mschap | mschap2> <username> <password>


A successful output will appear as follows:

 

[1932] handle_req-Rcvd auth req 7658224 for radius_admins in Radius_group opt=00014001 prot=11
[424] __compose_group_list_from_req-Group 'Radius_group', type 1
[617] fnbamd_pop3_start-radius_admins
[336] fnbamd_create_radius_socket-Opened radius socket 16
[336] fnbamd_create_radius_socket-Opened radius socket 17
[1372] fnbamd_radius_auth_send-Compose RADIUS request
[1332] fnbamd_rad_dns_cb-10.0.0.1->10.0.0.1
[1310] __fnbamd_rad_send-Sent radius req to server 'FGT-Radius': fd=16, IP=10.0.0.1(10.0.0.1:1812) code=1 id=113 len=125 user="radius_admins" using PAP
[313] radius_server_auth-Timer of rad 'FGT-Radius' is added
[743] auth_tac_plus_start-Didn't find tac_plus servers (0)
[481] ldap_start-Didn't find ldap servers
[591] create_auth_session-Total 1 server(s) to try
[1381] fnbamd_auth_handle_radius_result-Timer of rad 'FGT-Radius' is deleted
[1772] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[354] extract_success_vsas-FORTINET attr, type 6, val Radius_User_Access
[320] extract_success_vsas-FORTINET attr, type 1, val Firewall_Admins

[1407] fnbamd_auth_handle_radius_result-->Result for radius svr 'FGT-Radius' 10.0.0.1(1) is 0
[1331] fnbamd_radius_group_match-Passed group matching
[1059] find_matched_usr_grps-Group 'Radius_group' passed group matching
[1060] find_matched_usr_grps-Add matched group 'Radius_group'(10)
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 7658224, len=2061
[747] destroy_auth_session-delete session 7658224
[2446] handle_req-Rcvd 7 req
[308] fnbamd_acct_start_START-Error getting radius server
[1469] create_acct_session-Error start acct type 7
[2460] handle_req-Error creating acct session 7

# diag test authserver radius FGT-Radius pap radius_admins P@ssword123

authenticate 'radius_admins' against 'pap' succeeded, server=primary assigned_rad_session_id=7658226 assigned_admin_profile=Radius_User_Access session_timeout=0 secs idle_timeout=0 secs!
Group membership(s) - Firewall_Admins

 

Related Articles.

Technical Tip: Fortinet RADIUS attribute

Technical Tip: FortiGate Radius VSA Dictionary (vendor-specific attributes)