Purpose
Radius Accounting packet is received on Port2. The information is inserted in Radius DB defined in vdom1 and used by traffic going through root vdom.
The User traffic is going through root vdom and FW policy authenticate users based on RSSO with radius server from Vdom1.
The configuration "config system vdom-radius-server" is used for this purpose.
Scope
RSSO Configuration example FortiOS v5.2 with "config system vdom-radius-server"
and debug commands.
Diagram
Radius Server = 10.130.2.51/22 ------(vlan130)---- 10.130.0.191/22 port2 (vdom1)
Client Browser = 10.131.2.144/22-----(vlan131)---- 10.131.0.191/22 port1 (root) | FGT600B-1 port17 (root) -------> INTERNET
Port2 is part of vdom1
Port1 and Port17 are part of root vdom
Expectations, Requirements
How to configure RSSO with a Radius server shared by different vdoms in V5.2 ?
Configuration
Configuration on FGT side:
- Specify on which interface the Radius packet accounting is allowed with "allowacess radius-acct":
FG600B-1 (global) # show system interface port2
config system interface
edit "port2"
set vdom "vdom1"
set ip 10.130.0.191 255.255.252.0
set allowaccess ping https ssh http telnet radius-acct
set type physical
set snmp-index 2
next
end
- Declare the Radius server in one Vdom:
FG600B-1 # con vdom
FG600B-1 (vdom) # edit vdom1
current vf=vdom1:1
FG600B-1 (vdom1) # show user radius
config user radius
edit "RadiusRsso"
set rsso enable
set rsso-secret ENC OAsnB67F4/yNRgiQ
<---------- Others parameters are available and could be activated as secret check...
end
FG600B-1 (vdom1) # next
FG600B-1 (vdom) # edit root
current vf=root:0
FG600B-1 (root) # show user radius
- Specify in which Vdom, the Radius server for RSSO will be shared:
FG600B-1 (global) # show system vdom-radius-server
config system vdom-radius-server
edit "root" <------- Radius server will be used in this vdom
set status enable
set radius-server-vdom "vdom1" <------ Radius server is declared in this vdom
next
end
- Defined the RSSO user groups, the parameter user group will be sent in Radius accounting packet:
G600B-1 (vdom1) #
FG600B-1 (vdom1) # show user group
config user group
edit "SSO_Guest_Users"
next
end
FG600B-1 (vdom1) # end
FG600B-1 # con vdom
FG600B-1 (vdom) # edit root
current vf=root:0
FG600B-1 (root) # show user group
config user group
edit "SSO_Guest_Users"
next
edit "Guest-group"
set member "guest"
next
edit "Grp_postes_standards"
set member "LDAP_postes_standards"
next
edit "Group0"
set group-type rsso
set sso-attribute-value "Group0" <------- RSSO group, parameter received in Radius Accounting
next
edit "Group1"
set group-type rsso
set sso-attribute-value "Group1"
next
edit "Group2"
set group-type rsso
set sso-attribute-value "Group_Advanced_offer_2"
next
edit "Group3"
set group-type rsso
set sso-attribute-value "Group_Advanced_offer_3"
next
end
- Configure FW policy that will match the User Group and apply the profiles:
FG600B-1 (root) # show firewall policy
config firewall policy
edit 4
set srcintf "port1"
set dstintf "port17"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "DNS"
set nat enable
next
edit 1
set srcintf "port1"
set dstintf "port17"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set rsso enable
set groups "Group0" <--------------- Group received in Radius Accounting will be checked, then profile applied
set webfilter-profile "standard_Gambling"
set profile-protocol-options "protocol-options-standard"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
edit 2
set srcintf "port1"
set dstintf "port17"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set rsso enable
set groups "Group1"
set webfilter-profile "default"
set profile-protocol-options "protocol-options-standard"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
edit 3
set srcintf "port1"
set dstintf "port17"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set groups "Group3"
set webfilter-profile "Advanced_Profile"
set profile-protocol-options "protocol-options-standard"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end
FG600B-1 (root) # end
FG600B-1 # con vdom
FG600B-1 (vdom) # edi vdom1
current vf=vdom1:1
FG600B-1 (vdom1) # show firewall policy
config firewall policy
end
Simulate a Radius Accounting server for test purpose with NTRadPing Test Utility as follow:
Radius accounting packet will contain:
Framed-IP-Address with user IP
rsso-endpoint-attribute: Calling-Station-Id
sso-attribute : Class <----- used in config user group
config user group
edit "Group0"
set group-type rsso
set sso-attribute-value "Group0" <------- RSSO group, parameter received in Radius Accounting
next
FG600B-1 (radius) # edi RadiusRsso
FG600B-1 (RadiusRsso) # get
name : RadiusRsso
rsso : enable
rsso-radius-server-port: 1813
rsso-endpoint-attribute: Calling-Station-Id <----------- User reference
rsso-endpoint-block-attribute: Called-Station-Id
sso-attribute : Class <----------- Radius attribute
Verification
- Reset the state for lab purpose:
FG600B-1 (global) # diagnose test application radiusd 99 <-- restart the process
FG600B-1 (root) # diagnose firewall auth clear <-- clear authenticated users
----- all cleared ------
- Activate Debug Radius and send the accounting Radius packet:
FG600B-1 (root) # diagnose debug application radiusd -1
FG600B-1 (root) # di de en
FG600B-1 (root) # Received radius accounting eventDB 0 insert [ep='32471995584' pg='Group0' ip='10.131.2.144'] success
Received radius accounting eventDB 0 insert [ep='32471995584' pg='Group0' ip='10.131.2.144'] success
FG600B-1 (root) # diagnose debug application radiusd 0
Packet is received in Vdom1 on interface port2:
FG600B-1 (root) # diag sniffer packet any "port 1813" 6
interfaces=[any]
filters=[port 1813]
1.958668 port2 in 10.130.2.51.56654 -> 10.130.0.191.1813: udp 65
0x0000 0000 0000 0001 0050 5601 623d 0800 4500 .......PV.b=..E.
0x0010 005d 1d70 0000 8011 052b 0a82 0233 0a82 .].p.....+...3..
0x0020 00bf dd4e 0715 0049 9ff8 0409 0041 02df ...N...I.....A..
0x0030 13ee e7ea f7b0 b58c 4817 8a3b 8d7e 2806 ........H..;.~(.
0x0040 0000 0001 2c06 3139 3834 0806 0a83 0290 ....,.1984......
0x0050 0606 0000 0002 1f0d 3332 3437 3139 3935 ........32471995
0x0060 3538 3419 0847 726f 7570 30 584..Group0
5.461253 port2 in 10.130.2.51.56654 -> 10.130.0.191.1813: udp 65
0x0000 0000 0000 0001 0050 5601 623d 0800 4500 .......PV.b=..E.
0x0010 005d 1d72 4000 8011 c528 0a82 0233 0a82 .].r@....(...3..
0x0020 00bf dd4e 0715 0049 9ff8 0409 0041 02df ...N...I.....A..
0x0030 13ee e7ea f7b0 b58c 4817 8a3b 8d7e 2806 ........H..;.~(.
0x0040 0000 0001 2c06 3139 3834 0806 0a83 0290 ....,.1984......
0x0050 0606 0000 0002 1f0d 3332 3437 3139 3935 ........32471995
0x0060 3538 3419 0847 726f 7570 30 584..Group0
- The User is authenticated and user group received by FGT:
FG600B-1 (global) # diagnose test application radiusd 33
RADIUS server database [vd vdom1]:
"index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
1,1447344942,07:59:56,"10.131.2.144","32471995584","allow","no log","Group0",1,No
FG600B-1 (global) # diagnose test application radiusd 3
RADIUS server database [vd vdom1]:
"index","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
1,07:51:26,"10.131.2.144","32471995584","allow","no log","Group0",1,No
FG600B-1 (root) # diagnose firewall auth list
10.131.2.144, 32471995584
type: rsso, id: 0, duration: 16, idled: 16
group_id: 3
group_name: Group0
----- 1 listed, 0 filtered ------
- Others debugs on Radius:
FG600B-1 (global) # diagnose test application radiusd
Radius Daemon Test Usage:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
2 : Clear RADIUS server database
3 : Show RADIUS server database
33 : Show RADIUS server database (with start time)
4 : Show RADIUS server database info
9 : Check HA context table checksums
11 : Show HA sync connection status
20 : Show RADIUS server configuration cache
21 : Show RADIUS server interface configuration cache
99 : Restart
FG600B-1 (global) # diagnose test application radiusd 20
vd=1 (vdom1) n=RadiusRsso rsp=0 validate-secret=0 flush-ip=0 timeout=28800 rc=2 gen=0
FG600B-1 (global) # diagnose test application radiusd 21
vd=1 (vdom1) if=port2 addr=10.130.0.191:1813 sock fd=12 rc=1 gen=0
FG600B-1 (global) # diagnose test application radiusd 4
RADIUS server database info [vd vdom1 DB 0 ID 1]:
Database Lock Count: 0
Endpoint Entries (now/max/total): 1/1/1
IP Address Entries (now/max/total): 1/1/1
Missed RADIUS Accounting-Stop: 0
Missed RADIUS Accounting-Start: 0
Lock Queue Length (now/max/total): 0/0/0
- From the Client with IP 10.131.2.144, browser on Internet:
the first DNS packet will match FW policy 4
the authentication will match FW policy 1 with Group0
FG600B-1 (root) # diag debug flow filter addr 10.131.2.144
FG600B-1 (root) # di debug flow show console enable
show trace messages on console
FG600B-1 (root) # di debug flow show function-name enable
show function name
FG600B-1 (root) # diagnose debug flow show iprope enable
show trace messages about iprope
FG600B-1 (root) # diagnose debug flow trace start 30
FG600B-1 (root) # id=20085 trace_id=1 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=17, 10.131.2.144:1325->172.31.19.1:53) from port1. "
id=20085 trace_id=1 func=init_ip_session_common line=4569 msg="allocate a new session-0098fcb4"
id=20085 trace_id=1 func=iprope_dnat_check line=4633 msg="in-[port1], out-[]"
id=20085 trace_id=1 func=iprope_dnat_check line=4646 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=1 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-172.31.19.1 via port17"
id=20085 trace_id=1 func=iprope_fwd_check line=627 msg="in-[port1], out-[port17], skb_flags-00800000, vid-0"
id=20085 trace_id=1 func=__iprope_tree_check line=536 msg="gnum-100004, use addr/intf hash, len=5"
id=20085 trace_id=1 func=__iprope_check_one_policy line=1838 msg="checked gnum-100004 policy-4, ret-matched, act-accept"
id=20085 trace_id=1 func=__iprope_user_identity_check line=1673 msg="ret-matched"
id=20085 trace_id=1 func=__iprope_check line=2048 msg="gnum-4e20, check-f09c22b0"
id=20085 trace_id=1 func=__iprope_check_one_policy line=1838 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=1 func=__iprope_check_one_policy line=1838 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=1 func=__iprope_check_one_policy line=1838 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=1 func=__iprope_check line=2067 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=1 func=get_new_addr line=2763 msg="find SNAT: IP-172.31.16.191(from IPPOOL), port-61741"
id=20085 trace_id=1 func=__iprope_check_one_policy line=2019 msg="policy-4 is matched, act-accept"
id=20085 trace_id=1 func=iprope_fwd_auth_check line=679 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-4"
id=20085 trace_id=1 func=iprope_reverse_dnat_check line=797 msg="in-[port1], out-[port17], skb_flags-00800000, vid-0"
id=20085 trace_id=1 func=fw_forward_handler line=671 msg="Allowed by Policy-4: SNAT"
id=20085 trace_id=1 func=__ip_session_run_tuple line=2550 msg="SNAT 10.131.2.144->172.31.16.191:61741"
id=20085 trace_id=1 func=__ip_session_run_tuple line=2601 msg="run helper-dns-udp(dir=original)"
id=20085 trace_id=2 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=6, 10.131.2.144:1948->46.105.165.237:80) from port1. flag [S], seq 2863033454, ack 0, win 64240"
id=20085 trace_id=2 func=init_ip_session_common line=4569 msg="allocate a new session-0098fcb5"
id=20085 trace_id=2 func=iprope_dnat_check line=4633 msg="in-[port1], out-[]"
id=20085 trace_id=2 func=iprope_dnat_check line=4646 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=2 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-172.31.19.254 via port17"
id=20085 trace_id=2 func=iprope_fwd_check line=627 msg="in-[port1], out-[port17], skb_flags-00800000, vid-0"
id=20085 trace_id=2 func=__iprope_tree_check line=525 msg="gnum-100004, use svc hash, slot=16, len=4"
id=20085 trace_id=2 func=__iprope_check_one_policy line=1838 msg="checked gnum-100004 policy-1, ret-matched, act-accept"
id=20085 trace_id=2 func=__iprope_user_identity_check line=1673 msg="ret-matched"
id=20085 trace_id=2 func=__iprope_check line=2048 msg="gnum-4e21, check-f09c22b0"
id=20085 trace_id=2 func=__iprope_check_one_policy line=1838 msg="checked gnum-4e21 policy-0, ret-no-match, act-accept"
id=20085 trace_id=2 func=__iprope_check_one_policy line=1838 msg="checked gnum-4e21 policy-1, ret-no-match, act-accept"
id=20085 trace_id=2 func=__iprope_check_one_policy line=1838 msg="checked gnum-4e21 policy-1, ret-matched, act-accept"
id=20085 trace_id=2 func=__iprope_check_one_policy line=2019 msg="policy-1 is matched, act-accept"
id=20085 trace_id=2 func=__iprope_check line=2067 msg="gnum-4e21 check result: ret-matched, act-accept, flag-00200008, flag2-00000000"
id=20085 trace_id=2 func=get_new_addr line=2763 msg="find SNAT: IP-172.31.16.191(from IPPOOL), port-62364"
id=20085 trace_id=2 func=__iprope_check_one_policy line=2019 msg="policy-1 is mid=20085 trace_iid=20085 trace_id=8 func=print_pkt_detail line=4id=20085 trace_iid=20085 trace_id=10 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=6, 10.131.2.144:1948->46.105.165.237:80) from local. flag [.], seq 562675820, ack 372650008, win 4224"
id=20085 trace_id=10 func=resolve_ip_tuple_fast line=4479 msg="Find an existing session, id-0098fcb5, originalid=20085 trace_id=14 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=6, 10.id=20085 trace_i
Radius Accounting packet is received on Port2. The information is inserted in Radius DB defined in vdom1 and used by traffic going through root vdom.
The User traffic is going through root vdom and FW policy authenticate users based on RSSO with radius server from Vdom1.
The configuration "config system vdom-radius-server" is used for this purpose.
Scope
RSSO Configuration example FortiOS v5.2 with "config system vdom-radius-server"
and debug commands.
Diagram
Radius Server = 10.130.2.51/22 ------(vlan130)---- 10.130.0.191/22 port2 (vdom1)
Client Browser = 10.131.2.144/22-----(vlan131)---- 10.131.0.191/22 port1 (root) | FGT600B-1 port17 (root) -------> INTERNET
Port2 is part of vdom1
Port1 and Port17 are part of root vdom
Expectations, Requirements
How to configure RSSO with a Radius server shared by different vdoms in V5.2 ?
Configuration
Configuration on FGT side:
- Specify on which interface the Radius packet accounting is allowed with "allowacess radius-acct":
FG600B-1 (global) # show system interface port2
config system interface
edit "port2"
set vdom "vdom1"
set ip 10.130.0.191 255.255.252.0
set allowaccess ping https ssh http telnet radius-acct
set type physical
set snmp-index 2
next
end
- Declare the Radius server in one Vdom:
FG600B-1 # con vdom
FG600B-1 (vdom) # edit vdom1
current vf=vdom1:1
FG600B-1 (vdom1) # show user radius
config user radius
edit "RadiusRsso"
set rsso enable
set rsso-secret ENC OAsnB67F4/yNRgiQ
<---------- Others parameters are available and could be activated as secret check...
FG600B-1 (RadiusRsso) # getnext
name : RadiusRsso
timeout : 5
h3c-compatibility : disable
rsso : enable
rsso-radius-server-port: 1813
rsso-radius-response: disable
rsso-validate-request-secret: disable
rsso-secret : *
rsso-endpoint-attribute: Calling-Station-Id
rsso-endpoint-block-attribute: Called-Station-Id
sso-attribute : Class
sso-attribute-key :
rsso-context-timeout: 28800
rsso-log-period : 0
rsso-log-flags : protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other
rsso-flush-ip-session: disable
end
FG600B-1 (vdom1) # next
FG600B-1 (vdom) # edit root
current vf=root:0
FG600B-1 (root) # show user radius
- Specify in which Vdom, the Radius server for RSSO will be shared:
FG600B-1 (global) # show system vdom-radius-server
config system vdom-radius-server
edit "root" <------- Radius server will be used in this vdom
set status enable
set radius-server-vdom "vdom1" <------ Radius server is declared in this vdom
next
end
- Defined the RSSO user groups, the parameter user group will be sent in Radius accounting packet:
G600B-1 (vdom1) #
FG600B-1 (vdom1) # show user group
config user group
edit "SSO_Guest_Users"
next
end
FG600B-1 (vdom1) # end
FG600B-1 # con vdom
FG600B-1 (vdom) # edit root
current vf=root:0
FG600B-1 (root) # show user group
config user group
edit "SSO_Guest_Users"
next
edit "Guest-group"
set member "guest"
next
edit "Grp_postes_standards"
set member "LDAP_postes_standards"
next
edit "Group0"
set group-type rsso
set sso-attribute-value "Group0" <------- RSSO group, parameter received in Radius Accounting
next
edit "Group1"
set group-type rsso
set sso-attribute-value "Group1"
next
edit "Group2"
set group-type rsso
set sso-attribute-value "Group_Advanced_offer_2"
next
edit "Group3"
set group-type rsso
set sso-attribute-value "Group_Advanced_offer_3"
next
end
- Configure FW policy that will match the User Group and apply the profiles:
FG600B-1 (root) # show firewall policy
config firewall policy
edit 4
set srcintf "port1"
set dstintf "port17"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "DNS"
set nat enable
next
edit 1
set srcintf "port1"
set dstintf "port17"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set rsso enable
set groups "Group0" <--------------- Group received in Radius Accounting will be checked, then profile applied
set webfilter-profile "standard_Gambling"
set profile-protocol-options "protocol-options-standard"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
edit 2
set srcintf "port1"
set dstintf "port17"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set rsso enable
set groups "Group1"
set webfilter-profile "default"
set profile-protocol-options "protocol-options-standard"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
edit 3
set srcintf "port1"
set dstintf "port17"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set groups "Group3"
set webfilter-profile "Advanced_Profile"
set profile-protocol-options "protocol-options-standard"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end
FG600B-1 (root) # end
FG600B-1 # con vdom
FG600B-1 (vdom) # edi vdom1
current vf=vdom1:1
FG600B-1 (vdom1) # show firewall policy
config firewall policy
end
Simulate a Radius Accounting server for test purpose with NTRadPing Test Utility as follow:
Radius accounting packet will contain:
Framed-IP-Address with user IP
rsso-endpoint-attribute: Calling-Station-Id
sso-attribute : Class <----- used in config user group
config user group
edit "Group0"
set group-type rsso
set sso-attribute-value "Group0" <------- RSSO group, parameter received in Radius Accounting
next
FG600B-1 (radius) # edi RadiusRsso
FG600B-1 (RadiusRsso) # get
name : RadiusRsso
rsso : enable
rsso-radius-server-port: 1813
rsso-endpoint-attribute: Calling-Station-Id <----------- User reference
rsso-endpoint-block-attribute: Called-Station-Id
sso-attribute : Class <----------- Radius attribute
Verification
- Reset the state for lab purpose:
FG600B-1 (global) # diagnose test application radiusd 99 <-- restart the process
FG600B-1 (root) # diagnose firewall auth clear <-- clear authenticated users
----- all cleared ------
- Activate Debug Radius and send the accounting Radius packet:
FG600B-1 (root) # diagnose debug application radiusd -1
FG600B-1 (root) # di de en
FG600B-1 (root) # Received radius accounting eventDB 0 insert [ep='32471995584' pg='Group0' ip='10.131.2.144'] success
Received radius accounting eventDB 0 insert [ep='32471995584' pg='Group0' ip='10.131.2.144'] success
FG600B-1 (root) # diagnose debug application radiusd 0
Packet is received in Vdom1 on interface port2:
FG600B-1 (root) # diag sniffer packet any "port 1813" 6
interfaces=[any]
filters=[port 1813]
1.958668 port2 in 10.130.2.51.56654 -> 10.130.0.191.1813: udp 65
0x0000 0000 0000 0001 0050 5601 623d 0800 4500 .......PV.b=..E.
0x0010 005d 1d70 0000 8011 052b 0a82 0233 0a82 .].p.....+...3..
0x0020 00bf dd4e 0715 0049 9ff8 0409 0041 02df ...N...I.....A..
0x0030 13ee e7ea f7b0 b58c 4817 8a3b 8d7e 2806 ........H..;.~(.
0x0040 0000 0001 2c06 3139 3834 0806 0a83 0290 ....,.1984......
0x0050 0606 0000 0002 1f0d 3332 3437 3139 3935 ........32471995
0x0060 3538 3419 0847 726f 7570 30 584..Group0
5.461253 port2 in 10.130.2.51.56654 -> 10.130.0.191.1813: udp 65
0x0000 0000 0000 0001 0050 5601 623d 0800 4500 .......PV.b=..E.
0x0010 005d 1d72 4000 8011 c528 0a82 0233 0a82 .].r@....(...3..
0x0020 00bf dd4e 0715 0049 9ff8 0409 0041 02df ...N...I.....A..
0x0030 13ee e7ea f7b0 b58c 4817 8a3b 8d7e 2806 ........H..;.~(.
0x0040 0000 0001 2c06 3139 3834 0806 0a83 0290 ....,.1984......
0x0050 0606 0000 0002 1f0d 3332 3437 3139 3935 ........32471995
0x0060 3538 3419 0847 726f 7570 30 584..Group0
- The User is authenticated and user group received by FGT:
FG600B-1 (global) # diagnose test application radiusd 33
RADIUS server database [vd vdom1]:
"index","start time","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
1,1447344942,07:59:56,"10.131.2.144","32471995584","allow","no log","Group0",1,No
FG600B-1 (global) # diagnose test application radiusd 3
RADIUS server database [vd vdom1]:
"index","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
1,07:51:26,"10.131.2.144","32471995584","allow","no log","Group0",1,No
FG600B-1 (root) # diagnose firewall auth list
10.131.2.144, 32471995584
type: rsso, id: 0, duration: 16, idled: 16
group_id: 3
group_name: Group0
----- 1 listed, 0 filtered ------
- Others debugs on Radius:
FG600B-1 (global) # diagnose test application radiusd
Radius Daemon Test Usage:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
2 : Clear RADIUS server database
3 : Show RADIUS server database
33 : Show RADIUS server database (with start time)
4 : Show RADIUS server database info
9 : Check HA context table checksums
11 : Show HA sync connection status
20 : Show RADIUS server configuration cache
21 : Show RADIUS server interface configuration cache
99 : Restart
FG600B-1 (global) # diagnose test application radiusd 20
vd=1 (vdom1) n=RadiusRsso rsp=0 validate-secret=0 flush-ip=0 timeout=28800 rc=2 gen=0
FG600B-1 (global) # diagnose test application radiusd 21
vd=1 (vdom1) if=port2 addr=10.130.0.191:1813 sock fd=12 rc=1 gen=0
FG600B-1 (global) # diagnose test application radiusd 4
RADIUS server database info [vd vdom1 DB 0 ID 1]:
Database Lock Count: 0
Endpoint Entries (now/max/total): 1/1/1
IP Address Entries (now/max/total): 1/1/1
Missed RADIUS Accounting-Stop: 0
Missed RADIUS Accounting-Start: 0
Lock Queue Length (now/max/total): 0/0/0
- From the Client with IP 10.131.2.144, browser on Internet:
the first DNS packet will match FW policy 4
the authentication will match FW policy 1 with Group0
FG600B-1 (root) # diag debug flow filter addr 10.131.2.144
FG600B-1 (root) # di debug flow show console enable
show trace messages on console
FG600B-1 (root) # di debug flow show function-name enable
show function name
FG600B-1 (root) # diagnose debug flow show iprope enable
show trace messages about iprope
FG600B-1 (root) # diagnose debug flow trace start 30
FG600B-1 (root) # id=20085 trace_id=1 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=17, 10.131.2.144:1325->172.31.19.1:53) from port1. "
id=20085 trace_id=1 func=init_ip_session_common line=4569 msg="allocate a new session-0098fcb4"
id=20085 trace_id=1 func=iprope_dnat_check line=4633 msg="in-[port1], out-[]"
id=20085 trace_id=1 func=iprope_dnat_check line=4646 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=1 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-172.31.19.1 via port17"
id=20085 trace_id=1 func=iprope_fwd_check line=627 msg="in-[port1], out-[port17], skb_flags-00800000, vid-0"
id=20085 trace_id=1 func=__iprope_tree_check line=536 msg="gnum-100004, use addr/intf hash, len=5"
id=20085 trace_id=1 func=__iprope_check_one_policy line=1838 msg="checked gnum-100004 policy-4, ret-matched, act-accept"
id=20085 trace_id=1 func=__iprope_user_identity_check line=1673 msg="ret-matched"
id=20085 trace_id=1 func=__iprope_check line=2048 msg="gnum-4e20, check-f09c22b0"
id=20085 trace_id=1 func=__iprope_check_one_policy line=1838 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=1 func=__iprope_check_one_policy line=1838 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=1 func=__iprope_check_one_policy line=1838 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=1 func=__iprope_check line=2067 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=1 func=get_new_addr line=2763 msg="find SNAT: IP-172.31.16.191(from IPPOOL), port-61741"
id=20085 trace_id=1 func=__iprope_check_one_policy line=2019 msg="policy-4 is matched, act-accept"
id=20085 trace_id=1 func=iprope_fwd_auth_check line=679 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-4"
id=20085 trace_id=1 func=iprope_reverse_dnat_check line=797 msg="in-[port1], out-[port17], skb_flags-00800000, vid-0"
id=20085 trace_id=1 func=fw_forward_handler line=671 msg="Allowed by Policy-4: SNAT"
id=20085 trace_id=1 func=__ip_session_run_tuple line=2550 msg="SNAT 10.131.2.144->172.31.16.191:61741"
id=20085 trace_id=1 func=__ip_session_run_tuple line=2601 msg="run helper-dns-udp(dir=original)"
id=20085 trace_id=2 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=6, 10.131.2.144:1948->46.105.165.237:80) from port1. flag [S], seq 2863033454, ack 0, win 64240"
id=20085 trace_id=2 func=init_ip_session_common line=4569 msg="allocate a new session-0098fcb5"
id=20085 trace_id=2 func=iprope_dnat_check line=4633 msg="in-[port1], out-[]"
id=20085 trace_id=2 func=iprope_dnat_check line=4646 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=2 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-172.31.19.254 via port17"
id=20085 trace_id=2 func=iprope_fwd_check line=627 msg="in-[port1], out-[port17], skb_flags-00800000, vid-0"
id=20085 trace_id=2 func=__iprope_tree_check line=525 msg="gnum-100004, use svc hash, slot=16, len=4"
id=20085 trace_id=2 func=__iprope_check_one_policy line=1838 msg="checked gnum-100004 policy-1, ret-matched, act-accept"
id=20085 trace_id=2 func=__iprope_user_identity_check line=1673 msg="ret-matched"
id=20085 trace_id=2 func=__iprope_check line=2048 msg="gnum-4e21, check-f09c22b0"
id=20085 trace_id=2 func=__iprope_check_one_policy line=1838 msg="checked gnum-4e21 policy-0, ret-no-match, act-accept"
id=20085 trace_id=2 func=__iprope_check_one_policy line=1838 msg="checked gnum-4e21 policy-1, ret-no-match, act-accept"
id=20085 trace_id=2 func=__iprope_check_one_policy line=1838 msg="checked gnum-4e21 policy-1, ret-matched, act-accept"
id=20085 trace_id=2 func=__iprope_check_one_policy line=2019 msg="policy-1 is matched, act-accept"
id=20085 trace_id=2 func=__iprope_check line=2067 msg="gnum-4e21 check result: ret-matched, act-accept, flag-00200008, flag2-00000000"
id=20085 trace_id=2 func=get_new_addr line=2763 msg="find SNAT: IP-172.31.16.191(from IPPOOL), port-62364"
id=20085 trace_id=2 func=__iprope_check_one_policy line=2019 msg="policy-1 is mid=20085 trace_iid=20085 trace_id=8 func=print_pkt_detail line=4id=20085 trace_iid=20085 trace_id=10 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=6, 10.131.2.144:1948->46.105.165.237:80) from local. flag [.], seq 562675820, ack 372650008, win 4224"
id=20085 trace_id=10 func=resolve_ip_tuple_fast line=4479 msg="Find an existing session, id-0098fcb5, originalid=20085 trace_id=14 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=6, 10.id=20085 trace_i
