- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Forticlient Radius Authentication Across IPSEC Tun...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forticlient Radius Authentication Across IPSEC Tunnel
Currently, I manage small pools of locally configured building engineer accounts on several remote sites (all fortigate) that hub&spoke topology back to our main site. They use forticlient to connect to their local FG network to manage what they need to manage. My boss wants us to move this authentication from me managing local accounts to them authenticating with their AD credentials to our radius server back at the main site. Currently, when clients connect with FC to our main site they use radius auth (MS NPS).
I've configured radius authentication on one of the remote FGs
edit "RADIUS-01"
set server "x.x.x.x" (server IP)
set secret ENC 32HGInwGoQ0aUnuzGS6FrcSgyB8on8I1Ugyfwm/SeNjKfLNQSbePRS29upRikZo3m34eh3qW5o3E8085RlmzYMu45eCCw9KADJoEdvQkpn5iX2sQS8PKze9rOiKPJ5z6RDR61o7Q9WzC7kxKH9CeOwhxTOj3sWwH0kl/JM/hJnoxPF4gHZD0J5TMOX7ZJVQ9IcF/rA==
set timeout 30
set auth-type pap
set source-ip "x.x.x.x" (local interface gw of subnet allowed to talk across the tunnel)
set interface-select-method specify
set interface "CORP" (tunnel interface back to main site)
I've tested ping and traceroute sourcing from the local interface and get positive responses so the traffic is allowed across the tunnel from that interface, but I am still getting "Can't contact RADIUS server"
Looking for any guidance.
Labels:
- Labels:
-
FortiClient
-
FortiGate
-
IPsec
-
RADIUS
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @bock_samson ,
It looks like the remote Radius server is not responding to these requests.
You can take a packet capture on the NPS server and see if you receive the Access-Request and what happens with it.
Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I took the pcaps and tracked the traffic through both firewalls to the NPS server to waiting to hear back from the server admin on what he finds
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"set source-ip" is typically enough when dealing with IPsec tunnels without IPs (which I assume is the problem you're trying to solve with this).
Standard troubleshooting should give you some hints: Do debug flow and packet sniffer on the remote FGT. If it looks good, do the same on the next-hop, etc. up until you hit the NPS server, where you can check packets with Wireshark, or NPS logs with Event Viewer.
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the FortiGate defined as a client on the RADIUS server, also ports UDP/1812 - UDP/1813 are allowed ?
Usually that would be the main reason that it says that i cant contact it if you have L3 connectivity.
geek
geek
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
they should be but I have the server admin checking the server
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think there is a misunderstanding hiere:
- FortiClient does not communicate with the radius. It just does xauth with the FGT. If the user is a radius user or member of a radius user group that is in the VPNs xauth section the FGt will communicate with the radius. So the the source ip in the radius settings should be the ip the Fortigate uses to talk to it.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Related Posts
- Understanding sslvpn logs 166 Views
- Split Tunnel with SSL VPN and... 178 Views
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 300 Views
- FortiEMS/FortiClient - VPN Tunnel with Multiple... 285 Views
Labels
-
FortiGate
6,571 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
568 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Traffic shaping policy
5 -
SNMP
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Email filter profile
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.