Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jonathan_Body_FTNT
Staff
Staff

Created on ‎10-28-2011 06:20 AM Edited on ‎01-04-2022 01:46 PM By Anonymous

Article Id 189681

Technical Note : How to enable an Admin user that is unable to authenticate with RADIUS, when the connecting interface is not in the same VDOM as the RADIUS group

Description

This article explains how to enable an Admin user that is unable to authenticate with RADIUS, when the connecting interface is not in the same VDOM as the RADIUS group.


Scope

FortiOS v4.0 MR2
FortiOS v4.0 MR3


Solution

Setup and Symptoms:

- RADIUS authentication configuration for Admin user.
- Multiple VDOM's configured.
- Unable to authenticate with SSH/HTTPS to some interfaces.
- HA enabled with associated HA management interface.
Configuration

1. Interface configuration:
FGT60C3G10009763 (interface) # show

config system interface
   edit "dmz"
      set vdom "root"
      set ip 10.10.10.50 255.255.255.0
      set allowaccess ping https ssh fgfm
      set type physical
      set alias "Internal LAN"
   next
   edit "wan2"
      set vdom test
      set ip 172.31.224.208 255.255.254.0
      set allowaccess ping https ssh telnet fgfm
      set type physical
   next
   edit "wan1"
      set vdom "root"
      set ip 192.168.182.208 255.255.254.0
      set allowaccess ping https ssh fgfm
      set type physical
   next
   edit "internal"
      set vdom "test"
      set ip 10.147.0.208 255.255.254.0
      set allowaccess ping https ssh fgfm
      set type physical
   next
end
 
FGT60C3G10009763 (ha) # show

config system ha
   set mode a-p
   set ha-mgmt-status enable
   set ha-mgmt-interface "wan2"
   set override disable
end
2. Radius profile:
config user radius
   edit "router2_root"
      set auth-type pap
      set secret fortinet
      set server "192.168.183.2"
      set use-management-vdom enable
   next
end
3. User Group profile:
config user group
   edit "Router2_Group_root"
      set member "router2_root"
   next
end
4. Admin profile:
config system admin
   edit "Radius_Accounts"
      set remote-auth enable
      set accprofile "super_admin"
      set vdom "root"
      set wildcard enable
      set remote-group "Router2_Group_root"
   next
end
Conclusion

Logging in via SSH with a RADIUS user on an interface not belonging to the root VDOM or on a HA-MGMT configured to interface the Admin User connection will fail.

Solution

The radius-vdom-override parameter in the "config system admin" must be configured as shown below for the configuration to work:
config system admin
   edit "admin1"
      set remote-auth enable
      set accprofile "super_admin"
      set vdom "root"
      set wildcard enable
      set remote-group "group1"
      set radius-vdom-override enable <--------------------
   next
end
The expected behaviour of RADIUS authentication is that for Global Admin users, it does not matter from which VDOM they authenticate, RADIUS authentication requests are sent from the VDOM defined by the user group or the managed VDOM when specified in the RADIUS server setting.
8384
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.