- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Remote RADIUS Group and wildcard admin issues - 7....
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remote RADIUS Group and wildcard admin issues - 7.2.5
Hello Team.
At the moment we are using Remote Group RADIUS + wildcard admin on Fortigates in our envoriorment the most part of then are using 7.0.12 FortiOS and and it´s works just fine, but when we are trying use the same configuration on Fortigates with 7.2.5 version the admin users receives authentication error o GUI. The debug shows that the RADIUS process auth occours correctly and without errors.
Any one are experimenting the same issue or have some tip to solve the problem in 7.2.5 version?
Follows RADIUS Remote + Wildcard configuration that are using and output of debug commands:
RADIUS Configs:
User RADIUS
config user radius
edit "RADIUS-XPTO"
set server "172.16.0.3"
set secret ENC ddddddddd
set all-usergroup enable
set nas-ip "10.10.1.1"
set auth-type ms_chap_v2
set source-ip "10.10.1.1"
next
end
User Group
config user group
edit "GRP-RADIUS-XPTO"
set member "RADIUS-XPTO"
next
end
Profile to user RADIUS
config system accprofile
edit "no-access"
next
end
System admin with wildcard
config system admin
edit "USR-ADMIN-RADIUS"
set remote-auth enable
set accprofile "no-access"
set vdom "root"
set wildcard enable
set remote-group "GRP-RADIUS-XPTO"
set accprofile-override enable
set password xxxxxxxx
next
end
Output of debug commands:
diagnose debug application fnbamd -1
diagnose debug application radiusd -1
[1890] handle_req-Rcvd auth req 803881880 for user@domain.corp in GRP-RADIUS-XPTO opt=00014001 prot=
11
[473] __compose_group_list_from_req-Group 'GRP-RADIUS-XPTO', type 1
[616] fnbamd_pop3_start-user@bancoob.br
[342] fnbamd_create_radius_socket-Opened radius socket 11
[342] fnbamd_create_radius_socket-Opened radius socket 12
[1454] fnbamd_radius_auth_send-Compose RADIUS request
[1411] fnbamd_rad_dns_cb-172.16.0.173->172.16.0.173
[1383] __fnbamd_rad_send-Sent radius req to server 'RADIUS-XPTO': fd=11, IP=172.16.0.173(172.16.0.173:1812) code=1
id=92 len=229 user="user@domain.corp" using MS-CHAPv2
[319] radius_server_auth-Timer of rad 'RADIUS-XPTO' is added
[760] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1718] fnbamd_ldap_init-search filter is: sAMAccountName=user@domain.corp
[1728] fnbamd_ldap_init-search base is: DC=sicoobsp,DC=corp
[1150] __fnbamd_ldap_dns_cb-Resolved XPTOSP:192.168.1.17 to 192.168.1.17, cur stack size:1
[925] __fnbamd_ldap_get_next_addr-
[1155] __fnbamd_ldap_dns_cb-Connection starts XPTOSP:192.168.1.17, addr 192.168.1.17
[880] __fnbamd_ldap_start_conn-Still connecting 192.168.1.17.
[636] create_auth_session-Total 2 server(s) to try
[1931] handle_req-r=4
[1108] __ldap_connect-tcps_connect(192.168.1.17) is established.
[986] __ldap_rxtx-state 3(Admin Binding)
[363] __ldap_build_bind_req-Binding to 'CN=fortigate,CN=Users,DC=domain,DC=corp'
[1083] fnbamd_ldap_send-sending 87 bytes to 192.168.1.17
[1096] fnbamd_ldap_send-Request is sent. ID 1
[986] __ldap_rxtx-state 4(Admin Bind resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: 192.168.1.17
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[1023] fnbamd_ldap_parse_response-ret=0
[1053] __ldap_rxtx-Change state to 'DN search'
[986] __ldap_rxtx-state 11(DN search)
[750] fnbamd_ldap_build_dn_search_req-base:'DC=Domain,DC=corp' filter:sAMAccountName=user@domain.corp
[1083] fnbamd_ldap_send-sending 101 bytes to 192.168.1.17
[1096] fnbamd_ldap_send-Request is sent. ID 2
[986] __ldap_rxtx-state 12(DN search resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 82
[1306] fnbamd_ldap_recv-Response len: 84, svr: 192.168.1.17
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 82
[1306] fnbamd_ldap_recv-Response len: 84, svr: 192.168.1.17
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 66
[1306] fnbamd_ldap_recv-Response len: 68, svr: 192.168.1.17
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: 192.168.1.17
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[1023] fnbamd_ldap_parse_response-ret=0
[1244] __fnbamd_ldap_dn_next-No DN is found.
[1053] __ldap_rxtx-Change state to 'Done'
[986] __ldap_rxtx-state 23(Done)
[1083] fnbamd_ldap_send-sending 7 bytes to 192.168.1.17
[1096] fnbamd_ldap_send-Request is sent. ID 3
[785] __ldap_done-svr 'XPTOSP'
[755] __ldap_destroy-
[724] __ldap_stop-Conn with 192.168.1.17 destroyed.
[2774] fnbamd_ldap_result-Continue pending for req 803881880
[1428] fnbamd_auth_handle_radius_result-Timer of rad 'RADIUS-XPTO' is deleted
[1862] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[362] extract_success_vsas-FORTINET attr, type 6, val super_admin
[323] extract_success_vsas-FORTINET attr, type 1, val Firewall_Admins
[1454] fnbamd_auth_handle_radius_result-->Result for radius svr 'RADIUS-XPTO' 172.16.0.173(1) is 0
[1616] fnbam_user_auth_group_match-req id: 803881880, server: RADIUS-XPTO, local auth: 0, dn match: 0
[277] find_matched_usr_grps-Passed group matching
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 803881880, len=2640
[792] destroy_auth_session-delete session 803881880
[755] __ldap_destroy-
[1764] fnbamd_ldap_auth_ctx_free-Freeing 'XPTOSP' ctx
Thank you in advance!
#Fortigate #RadiusWildcard
Labels:
- Labels:
-
FortiAuthenticator v5.5
-
FortiGate
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @rsteixeira ,
would it be possible to provide the pcaps from both the ends? I see RADIUS responded with code 2 but still can you try with default authentication method?
DNB
Created on 11-23-2023 12:31 PM Edited on 11-23-2023 12:47 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately is not allowed for me share one pacap file once it will show confidential informations.
I didn´t understand what you mean about default authentication method. You mean use a local admin user to authentication on Firewall?
If yes, the local auth works fine or if we create the local user pointing to remote radius group its also works.
RADIUS server logs shows always sucess, if we try user test connection on gui on radius server configuration the test is also works. The same behavior if we try "diag test authserver radius " command by cli and work fine.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rsteixeira, In this scenario, you might have to open a case with the TAC so we can troubleshoot the issue to verify why Radius authentication failed.
Thank you.
Best Regards,
Maulish Shah
Maulish Shah
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
debug shows the authentication works fine (as you know already). So the GUI should give you a no-access message and profile. You can test changing the no-access to something that has access to test against the access-profile.
Run debug differently in this way:
diag debug console timestamp enable
diag debug app fnbamd -1
diag debug app httpsd -1
diag debug enablehttpsd will be the web server that seems to fail, since the authentication as the other part works.
Best regards,
Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey rsteixeira,
from the debug, it does look like RADIUS returns both a group, Firewall_Admins, and an admin profile, super_admin; this should override the no_access admin profile you've set as default in the wildcard admin.
I'm not seeing any issue with the RADIUS side of things.
It is strange that FortiGate is also trying to authenticate the user to LDAP - do you have a second wildcard admin configured, or anything of the sort? In the group itself "GRP-RADIUS-XPTO" I do not see an LDAP server referenced. The fact that LDAP is also queried indicates to me that perhaps there's a second group/wildcard admin somewhere, and FortiGate has issues matching the login to the correct group or wildcard admin maybe?
Can you gather fnbamd debug from a working 7.0 FortiGate and compare? Assuming they have the same configuration, you should see roughly the same output, and it would be interesting to know if there is also LDAP involved in that case.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Related Posts
- FSSO authentication fallback with flow-based policy 190 Views
- VPN users to hitting the correct... 236 Views
- What Can/Should Be Configured Outside of... 277 Views
- Fortinet admin accounts can't contain "."... 606 Views
- FortiGate VPN Web Filtering 314 Views
Labels
-
FortiGate
6,535 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.