Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gianluca_Bona
New Contributor

how configure NPS to authenticate FortiGate Administrators

Hi all,

I face an issue never occurred before..

I configured radius server (Windows 2008R2 NPS) to athenticate administrators of a Fortigate (release 5.0.11).

In Microsoft eventviewer I see the user that have been granted access, but, in FortiGate log, the user access is refused due to "incorrect password"..

there are some special tricks to be configured?

any required Vendor-specifica attributes to be configured on NPS?

many thanks!

 

Gianluca

5 REPLIES 5
rwpatterson
Valued Contributor III

You need to use LDAP for [strike]admin[/strike] (should have read SSL VPN) users. With NPM, you need to be authenticated before permission is granted. This is primarily used for AD group filtering for Internet access.

 

Edited for incorrect content. -rp

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Gianluca_Bona

So I'll remove Radius and I'll configure LDAP servers in Fortigate..

It was the last chance in my mind..

by the way it was strange that Radius cannot be used for authenticate administrators.

Thank you very much!

Gianluca

xsilver_FTNT
Staff
Staff

RADIUS can be used for admin users as well as LDAP and TACACS+ .. even for wildcard admin users (1:N) so one admin account on FGT for many matching ones on RADIUS server. I would suggest check KB for "radius admin" or "radius wildcard", very first hits/technotes will give you idea.

 

Usual caveats are:

- radius server configured on FGT is used for admins and users or even "use in all groups" is turned on, I'd suggest to make dedicated RADIUS server config and firewall user group just for admin authentication

- group match is set but RADIUS server do not return set string in Fortinet-Group-Name AVP, and therefore group match fail

 

Another possibility is to open a ticket on support site and attach

- network diagram

- config backup

- RADIUS sniffer (I assume default ports are used so something like CLI output from .. diag sniffer packet any 'port 1812' 6 0 a )

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

emnoc
Esteemed Contributor III

I agreed with all that's been posted and suggest to use a radtest client b4 t-shooting issues within the fortigate. You can manipulate all client side attribute and debug issues.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
rwpatterson
Valued Contributor III

Dangit! Been out of the loop too long. Confusing admin login with SSL VPN login....

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Labels
Top Kudoed Authors