FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
azhunissov
Staff
Staff
Article Id 192767

Description

 

This article explains how to setup a FortiGate in the scenario where Radius server is used to authenticate FortiGate admin users, and fallback to local backup password is required if the Radius server does not respond.

 

Scope

 

FortiGate.


Solution


Note:

This setting requires a local admin account to be created. 
If local accounts should not be used (using only existing accounts on the Radius server), consult the KB article on the field 'Related articles'.

Radius server configuration:

 

config user radius
    edit "FACVM"
        set server "172.16.190.100"
        set secret SUPERSECRETPASSWORD
 set auth-type ms_chap_v2
    next
end

 

User group configuration with the Radius server user group:

 

config user group
edit "radiusgroup"
        set member "FACVM"
        config match
            edit 1
                set server-name "FACVM"
                set group-name "radiusgroup"
            next
        end
    next
end

 

Local admin account configuration with the remote authentication and local backup password:

 

config system admin
    edit "radiusadmin"
        set remote-auth enable
        set accprofile "super_admin"
        set vdom "root"
        set remote-group "radiusgroup"
        set password fortinetlocal
    next
end

 

Verification:

  1. When the Radius server is up, connect to the FortiGate with "radiususer1/radiuspassword"; access is granted:

 

diagnose debug application fnbamd -
diagnose debug enable

# [2274] handle_req-Rcvd auth req 457812065 for radiususer1 in radiusgroup opt=00010001 prot=10
[398] __compose_group_list_from_req-Group 'radiusgroup'
[614] fnbamd_pop3_start-radiususer1
[608] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'FACVM' for usergroup 'radiusgroup' (10)
[305] fnbamd_create_radius_socket-Opened radius socket 15
[305] fnbamd_create_radius_socket-Opened radius socket 16
[1342] fnbamd_radius_auth_send-Compose RADIUS request
[1309] fnbamd_rad_dns_cb-172.16.190.100->172.16.190.100
[1284] __fnbamd_rad_send-Sent radius req to server 'FACVM': fd=15, IP=172.16.190.100(172.16.190.100:1812) code=1 id=128 len=164 user="radiususer1" using MS-CHAPv2
[282] radius_server_auth-Timer of rad 'FACVM' is added
[718] auth_tac_plus_start-Didn't find tac_plus servers (0)
[439] ldap_start-Didn't find ldap servers (0)
[557] create_auth_session-Total 1 server(s) to try
[2406] fnbamd_auth_handle_radius_result-Timer of rad 'FACVM' is deleted
[1750] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[309] extract_success_vsas-FORTINET attr, type 1, val radiusgroup
[2432] fnbamd_auth_handle_radius_result                                          <-----Result for radius svr 'FACVM' 172.16.190.100(1) is 0  >>> 0=Authetication successful, 1=Authentication failed
[2356] fnbamd_radius_group_match-Passed group matching
[1031] find_matched_usr_grps-Group 'radiusgroup' passed group matching
[1032] find_matched_usr_grps-Add matched group 'radiusgroup'(10)

 

  1. When Radius server is down , connect to the FortiGate with " radiususer1/ radiuspassword " ; access is denied

 

diagnose debug application fnbamd -1
diagnose debug enable

# [2274] handle_req-Rcvd auth req 457812067 for radiususer1 in radiusgroup opt=00010001 prot=10
[398] __compose_group_list_from_req-Group 'radiusgroup'
[614] fnbamd_pop3_start-radiususer1
[608] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'FACVM' for usergroup 'radiusgroup' (10)
[305] fnbamd_create_radius_socket-Opened radius socket 15
[305] fnbamd_create_radius_socket-Opened radius socket 16
[1342] fnbamd_radius_auth_send-Compose RADIUS request
[1309] fnbamd_rad_dns_cb-172.16.190.100->172.16.190.100
[1284] __fnbamd_rad_send-Sent radius req to server 'FACVM': fd=15, IP=172.16.190.100(172.16.190.100:1812) code=1 id=130 len=164 user="radiususer1" using MS-CHAPv2
[282] radius_server_auth-Timer of rad 'FACVM' is added
[718] auth_tac_plus_start-Didn't find tac_plus servers (0)
[439] ldap_start-Didn't find ldap servers (0)
[557] create_auth_session-Total 1 server(s) to try
[47] handle_rad_timeout-rad 'FACVM' 172.16.190.100 timed out, resend request.
[1284] __fnbamd_rad_send-Sent radius req to server 'FACVM': fd=15, IP=172.16.190.100(172.16.190.100:1812) code=1 id=130 len=164 user="radiususer1" using MS-CHAPv2
[63] handle_rad_timeout-Timer of rad 'FACVM' is added
[3197] handle_auth_timeout_with_retry-Retry
[396] radius_stop-Timer of rad 'FACVM' is deleted
[1039] fnbamd_auth_retry-svr_type = 2
[608] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'FACVM' for usergroup 'radiusgroup' (10)
[341] radius_start-Didn't find radius servers (0)
[3215] handle_auth_timeout_with_retry-retry failed

 

  1. When the Radius server is down, connect to the FortiGate with 'radiususer1/fortinetlocal'; access is granted Time and the list of connected administrators before connecting with the 'radiususer1/fortinetlocal':

 

execute time
current time is: 16:11:20
last ntp sync:Wed Oct  2 15:49:13 2019

get sys info admin  status
Index  User name   Login type  From
Logged in users: 3
USERNAME        TYPE    FROM             TIME
admin           https   172.16.191.5     Wed Oct  2 10:47:26 2019

admin           https   172.16.191.1     Wed Oct  2 11:06:56 2019

admin           ssh     10.109.63.254    Wed Oct  2 15:16:57 2019

 

FortiGate will try to authenticate by using the Radius server and after failure, it will try to use the local backup password:

diagnose debug application fnbamd -1
diagnose debug enabl

# [2274] handle_req-Rcvd auth req 457812070 for radiususer1 in radiusgroup opt=00010001 prot=10
[398] __compose_group_list_from_req-Group 'radiusgroup'
 [341] radius_start-Didn't find radius servers (0)
[3215] handle_auth_timeout_with_retry-retry failed

 

Time and list of connected administrators after connecting with the 'radiususer1/fortinetlocal':

 

execute time
current time is: 16:13:06
last ntp sync:Wed Oct  2 15:49:13 2019

get sys info admin  status
Index  User name   Login type  From
Logged in users: 4
USERNAME        TYPE    FROM             TIME
admin           https   172.16.191.5     Wed Oct  2 10:47:26 2019

admin           https   172.16.191.1     Wed Oct  2 11:06:56 2019

admin           ssh     10.109.63.254    Wed Oct  2 15:16:57 2019

radiususer1     http    10.109.63.254    Wed Oct  2 16:12:40 2019

 

Related Articles

Technical Tip: Remote admin login with Radius selecting admin access account profile

Technical Note: FortiGate admin authentication using radius groups fails