Authentication based routing was added in FortiOS v3.0 MR6. It allows firewall policies to determine how to direct network traffic flows based on a RADIUS object.
You configure the auth-path RADIUS object and attach it to a firewall policy. Configure the RADIUS server to supply the name of that object. When traffic matches that policy and has successful authentication with the RADIUS object, the FortiGate unit routes traffic to its destination.
You can only configure authentication based routing in the CLI, and involves config user , config router , and config firewall commands. For more information on these commands refer to the FortiOS CLI Reference Guide.
Note: The config router auth-path command is not available when the FortiGate unit is in Transparent mode.
This example configures a local user (test_user ) that authenticates on a RADIUS server (test_radius ). In this example before any traffic is allowed to pass through the firewall, the FortiGate unit will authenticate traffic going from the internal interface (internal interface IP address is 192.168.10.10) to the external interface and that originates from the test_user account.
Note: Your RADIUS server must be configured to supply the name of the auth-path router object and have an entry for test_user . Otherwise, authentication based routing will fail.
To configure authentication based routing on your FortiGate unit
- Configure your FortiGate unit to communicate with a RADIUS authentication server.
config user radius edit test_radius set auth-type auto set secret F0RT1N3t set server 192.168.10.100 set use-management-vdom enable end
- Configure a user that uses the RADIUS server.
config user local edit test_user set status enable set type radius set passwd P4ssW0rd set radius-server test_radius end
- Add that user to a user group configured to use the RADIUS server.
config user group edit test_group set type firewall set profile unfiltered set members test_user end
- Configure the router auth-path object.
config router auth-path edit auth_based_rtr set device internal set gateway 192.168.10.2 end
- Configure a custom service for RADIUS traffic.
config firewall service custom edit RADIUS set protocol TCP/UDP set tcprange 1812-1812:1-65535 end
- Configure a service group that includes RADIUS traffic along with other types of traffic that will be allowed to pass through the firewall.
config firewall service group edit radiusWithWebGrp set member DNS HTTP HTTPS RADIUS end
- Configure a firewall policy that has route based authentication enabled.
config firewall policy edit 5 set srcintf external set srcaddr all set dstintf internal set dstaddr all set service radiusWithWebGrp set action accept set groups test_group set auth-path enable set comments "authentication based routing test policy" set disclaimer disable set logtraffic enable set status enable end
This example uses a RADIUS server called test_radius , the default RADIUS port of 1812. If there is more than one VDOM on the FortiGate unit, test_radius will use the management VDOM (root by default) for RADIUS traffic.
The user will not see an authentication disclaimer page. Instead all the authentication will be done automatically. |