FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 194618
Article
Description Authentication based routing
Components
  • FortiOS v3.0 MR6

Steps or Commands

Authentication based routing was added in FortiOS v3.0 MR6. It allows firewall policies to determine how to direct network traffic flows based on a RADIUS object.

You configure the auth-path RADIUS object and attach it to a firewall policy. Configure the RADIUS server to supply the name of that object. When traffic matches that policy and has successful authentication with the RADIUS object, the FortiGate unit routes traffic to its destination.

You can only configure authentication based routing in the CLI, and involves config user, config router, and config firewall commands. For more information on these commands refer to the FortiOS CLI Reference Guide.

Note: The config router auth-path command is not available when the FortiGate unit is in Transparent mode.

This example configures a local user (test_user) that authenticates on a RADIUS server (test_radius). In this example before any traffic is allowed to pass through the firewall, the FortiGate unit will authenticate traffic going from the internal interface (internal interface IP address is 192.168.10.10) to the external interface and that originates from the test_user account.

Note: Your RADIUS server must be configured to supply the name of the auth-path router object and have an entry for test_user. Otherwise, authentication based routing will fail.

To configure authentication based routing on your FortiGate unit

  1. Configure your FortiGate unit to communicate with a RADIUS authentication server.

    config user radius
     edit test_radius
       set auth-type auto
       set secret F0RT1N3t
       set server 192.168.10.100
       set use-management-vdom enable
     end

  2. Configure a user that uses the RADIUS server.

    config user local
     edit test_user
       set status enable
       set type radius
       set passwd P4ssW0rd
       set radius-server test_radius
     end

  3. Add that user to a user group configured to use the RADIUS server.

    config user group
     edit test_group
       set type firewall
       set profile unfiltered
       set members test_user
     end

  4. Configure the router auth-path object.

    config router auth-path
     edit auth_based_rtr
       set device internal
       set gateway 192.168.10.2
     end

  5. Configure a custom service for RADIUS traffic.

    config firewall service custom
     edit RADIUS
       set protocol TCP/UDP
       set tcprange 1812-1812:1-65535
     end

  6. Configure a service group that includes RADIUS traffic along with other types of traffic that will be allowed to pass through the firewall.

    config firewall service group
     edit radiusWithWebGrp
       set member DNS HTTP HTTPS RADIUS
     end

  7. Configure a firewall policy that has route based authentication enabled.

    config firewall policy
     edit 5
       set srcintf external
       set srcaddr all
       set dstintf internal
       set dstaddr all
       set service radiusWithWebGrp
       set action accept
       set groups test_group
       set auth-path enable
       set comments "authentication based routing test policy"
       set disclaimer disable
       set logtraffic enable
       set status enable
     end

This example uses a RADIUS server called test_radius, the default RADIUS port of 1812. If there is more than one VDOM on the FortiGate unit, test_radius will use the management VDOM (root by default) for RADIUS traffic.

The user will not see an authentication disclaimer page. Instead all the authentication will be done automatically.