Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yugiohx
New Contributor

Radius user group mapping problem

Hello everybody, I have a Fortinet VM-64 (version v5.4.7,build6446 ) to provide SSLVPN service. My customer provides a radius server for SSLVPN authentication. But their radius server can't response group information when doing authentication. So I create many account with radius on the VM-64, and mapping them with different group. But there is a problem with group mapping. When client use a account which exist in the radius server but doesn't exist in the VM-64 to login SSLVPN, it will login success and mapping to group for the first account in the account list. For example: ----------------- I have two account in the VM-64. AAA in radius is group-X  (It's the first account in the list) BBB in radius is group-Y There are three account in the radius server.(Because the radius server is not only for SSLVPN) AAA BBB CCC When client use CCC to login SSLVPN, he will login success and mapping to group-X. ------------------- Because different group have different access control list, so it will be a issue in security. And it's strange to mapping a account which doesn't exist to a exist group. It look like a vulnerability or program logic error in the authentication? Could you kindly give me some suggestion to resolve it? Thanks a lot : )

19 REPLIES 19
xsilver_FTNT
Staff
Staff

Hi,

to be honest I do not understand your config.

But if you do have SSLVPN bonded to firewall user group, which do contain (is bonded) to RADIUS server.

Then login of CCC is authenticated against the RADIUS, not against your local user on FGVM-64 (as there is no CCC user).

If you do mix local users and RADIUS bond in a single user group ... 

config user group

edit "SOME-GROUP"

set member "AAA","BBB","RADIUS-SERVER"

 

.. then local users like AAA or BBB are checked first (so if there is AAA user on RADIUS-SERVER it will not be checked as local AAA user exist and local users has preference).

If there is no local user then anyone else will be passed and tried against RADIUS-SERVER .. and if server replies Access-Accept, then user is authenticated and allowed to pass through.

 

If you do want to drive group membership for SSL and divide users into groups according to their presence on RADIUS server, then check RADIUS group match feature of FortiOS (similar feature is for LDAP).

More on http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD36464

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

yugiohx

xsilver wrote:

Hi,

to be honest I do not understand your config.

But if you do have SSLVPN bonded to firewall user group, which do contain (is bonded) to RADIUS server.

Then login of CCC is authenticated against the RADIUS, not against your local user on FGVM-64 (as there is no CCC user).

If you do mix local users and RADIUS bond in a single user group ... 

config user group

edit "SOME-GROUP"

set member "AAA","BBB","RADIUS-SERVER"

 

.. then local users like AAA or BBB are checked first (so if there is AAA user on RADIUS-SERVER it will not be checked as local AAA user exist and local users has preference).

If there is no local user then anyone else will be passed and tried against RADIUS-SERVER .. and if server replies Access-Accept, then user is authenticated and allowed to pass through.

 

If you do want to drive group membership for SSL and divide users into groups according to their presence on RADIUS server, then check RADIUS group match feature of FortiOS (similar feature is for LDAP).

More on http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD36464

 

 

Thanks for reply,and sorry for not description my config.

In this situation,there is about 300 accounts on the radius, but just 50 accounts need SSLVPN.

And for some reason, the radius server admin can't divide accounts by whether it need SSLVPN or not on the radius server.

What I want to do is checking username and password by radius server, and mapping group by fortigate.

So I config it on the fortigate like what I do on the Juniper SSLVPN.

1.set a radius server

2.create some group 

3.create many accounts with radius,and mapping them to group.

 

 

Is this config thinking not functional for fortigate?

xsilver_FTNT

Hi,

 

if RADIUS admin can add AVP Fortinet-Group-Name into some specific user accounts it would be enough to divide them by use of RADIUS group match.

 

If you are unable to convince RADIUS admin to change config, then what should work is:

config user radius edit "RADIUS-SERVER" set server "10.10.10.69" set secret SuperSecretPassword

next end

 

config user local edit "userrad-1" set type radius set radius-server "RADIUS-SERVER" next end

 

config user group edit "RADIUS-GRP" set member "userrad-1" "userrad-2"

next end

config vpn ssl settings

... other ssl settings you have

config authentication-rule edit 1 set groups "RADIUS-GRP" set portal "full-access" next end end

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

yugiohx

Hi,thanks for your reply.

My config is set as your second solution.

But it will come out a problem.

For example:

 

I have create only 2 users and 2 groups like above.

 

config user local edit "userrad-1" set type radius set radius-server "RADIUS-SERVER" next end

 

config user local edit "userrad-2" set type radius set radius-server "RADIUS-SERVER" next end

config user group edit "RADIUS-GRP1" set member "userrad-1" next end

 

config user group edit "RADIUS-GRP2" set member "userrad-2" next end

 

But if there is userrad-3 on the radius server, Client can use userrad-3 to login SSLVPN, and be recognized as RADIUS-GRP1.

That makes it looks like a security issue....

xsilver_FTNT

then what do you have in policies and SSL VPN settings for other groups ?

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

yugiohx

Thanks for reply.

All other group can only web-access in my config.

But before that, the userrad-3 can login as RADIUS-GRP1.....

I don't have any config about userrad-3, so that I really don't what logic can fortigate do to let userrad-3 can login as RADIUS-GRP1.....

yugiohx

Hello , is there any solution for this situation?

Thanks: )

pyy
New Contributor III

Ask for a radius that can sent group replies ?

yugiohx
New Contributor

Yes he can, but he can't set a sslvpn group for me.....

Labels
Top Kudoed Authors