Purpose
This article describes how to configure FortiManager/FortiAnalyzer for RADIUS authentication and authorization using access profile override, ADOM override and Vendor Specific Attributes (VSA) on RADIUS side.
Scope
Expectations, Requirements
Example Task:
The following directory users, members of the group “fmg_faz_admins”, should be granted different permissions in FortiManager/FortiAnalyzer based on their RADIUS attributes:
- user1 – “read-write” permissions for all sections of ADOMs “TEST1” and “TEST2”
- user2 – “read-only” permissions for all sections of ADOM “TEST2”
- All other users – should have no access to FortiManager/FortiAnalyzer
Configuration
FMG/FAZ Configuration:
1) Configure a remote server object.
Test RADIUS server connection and validate user name and password.
2) Create the admin profiles, as required
For this example the following profiles are needed:
3. Create ADOM “EMPTY” under System Settings -> All ADOMs -> Create New, this will be used as default in the wildcard admin user.
- Alternatively, any existing empty ADOM may be used
RADIUS side configuration:
The examples below are added mostly to explain the logic of the FMG/FAZ config and may differ depending on the specific server version.
For further details please refer to the technical documentation of the RADIUS server vendor.
The following part of the VSA dictionary is used with FMG/FAZ:
1. FortiAuthenticator (5.2)
This example includes local users that were created beforehand. For more details, please refer to the FortiAuthenticator Administration Guide.
Create new client for FortiManager:
Create the group allowing authentication to FMG/FAZ.
Add the “Fortinet-Group-Name” attribute with value “fmg_faz_admins”.
Select the users that will have FMG/FAZ access.
Modify the users in order to assign the access profiles and ADOM permissions, as defined above:
- user1 – “read-write” permissions for all sections of ADOMs “TEST1” and “TEST2”
- user2 – “read-only” permissions for all sections of ADOM “TEST2”
Test and refer to the Troubleshooting section below in case of issues.
2. FreeRADIUS
3. Windows server 2016
In NPS the VSAs are defined in the Network Policies, where the conditions can contain only group match (not single user).
The test scenario can be configured in different ways, but for this demonstration 4 groups* will be used:
- fmg_faz_RW
- fmg_faz_RO
- fmg_faz_TEST1
- fmg_faz_TEST2
*There is no need to actually configure the common “fmg_faz_admins” group in AD. It can be assigned only as VSA in the policies matching these 4 groups.
user1 – Member Of - fmg_faz_RW, fmg_faz_TEST1 and fmg_faz_TEST2
user2 – Member Of - fmg_faz_RO and fmg_faz_TEST2
Troubleshooting
The following CLI commands are used for troubleshooting admin login issues on FortiManager/FortiAnalyzer:
All OK:
This article describes how to configure FortiManager/FortiAnalyzer for RADIUS authentication and authorization using access profile override, ADOM override and Vendor Specific Attributes (VSA) on RADIUS side.
Scope
The CLI examples are universal for all covered firmware versions. Note: The GUI screenshots are from v6.0: although the menus look different in the older versions, the settings are the same.
Expectations, Requirements
Example Task:
The following directory users, members of the group “fmg_faz_admins”, should be granted different permissions in FortiManager/FortiAnalyzer based on their RADIUS attributes:
- user1 – “read-write” permissions for all sections of ADOMs “TEST1” and “TEST2”
- user2 – “read-only” permissions for all sections of ADOM “TEST2”
- All other users – should have no access to FortiManager/FortiAnalyzer
Configuration
FMG/FAZ Configuration:
1) Configure a remote server object.
# config system admin radius
edit "fac.test.lab" <----- Name of the server object.
set server "10.109.19.6" <----- RADIUS server IP address.
set port 1812 <----- RADIUS server port.
auth-type chap <----- {any|pap|chap|mschap2}.
set secret @Rad1us#Secr3T
next
end
Test RADIUS server connection and validate user name and password.
2) Create the admin profiles, as required
For this example the following profiles are needed:
# config system admin profileedit "none" <----- 'none' will be used as default profile for the wildcard admin userend
next <----- in 5.0 and 5.2, profile with no permissions can be created only via CLI
edit "read-write"
set system-setting read-write
set adom-switch read-write
set global-policy-packages read-write
set assignment read-write
set read-passwd none
set intf-mapping read-write
set device-manager read-write
set device-config read-write
set device-op read-write
set device-wan-link-load-balance read-write
set device-ap read-write
set device-forticlient read-write
set device-fortiswitch read-write
set device-profile read-write
set policy-objects read-write
set deploy-management read-write
set import-policy-packages read-write
set config-retrieve read-write
set config-revert read-write
set term-access read-write
set adom-policy-packages read-write
set vpn-manager read-write
set realtime-monitor none
set consistency-check read-write
set fgd_center read-write
set fgd-center-licensing read-write
set fgd-center-fmw-mgmt read-write
set fgd-center-advanced read-write
set log-viewer read-write
set report-viewer read-write
set event-management read-write
next
edit "read-only"
set system-setting read
set adom-switch read
set global-policy-packages read
set assignment read
set read-passwd none
set intf-mapping read
set device-manager read
set device-config read
set device-op read
set device-wan-link-load-balance read
set device-ap read
set device-forticlient read
set device-fortiswitch read
set device-profile read
set policy-objects read
set deploy-management read
set import-policy-packages read
set config-retrieve read
set config-revert read
set term-access read
set adom-policy-packages read
set vpn-manager read
set realtime-monitor none
set consistency-check read
set fgd_center read
set fgd-center-licensing read
set fgd-center-fmw-mgmt read
set fgd-center-advanced read
set log-viewer read
set report-viewer read
set event-management read
next
3. Create ADOM “EMPTY” under System Settings -> All ADOMs -> Create New, this will be used as default in the wildcard admin user.
- Alternatively, any existing empty ADOM may be used
4.
Create a wildcard admin user (the settings in bold are available only via CLI).
config system
admin user
edit "raduser"
<- name of
the admin object
set profileid "none"
<- the
profile “none” from step 2
set adom "EMPTY"
<-
the empty ADOM from step 3
set policy-package "all_policy_packages"
set user_type radius
set radius_server
"fac.test.lab"
<-
name of the server object
set wildcard
enable
set radius-accprofile-override
enable <- command updated since versions
5.6.6 / 6,0.3 see bellow
set radius-adom-override
enable <- command
updated since versions 5.6.6 / 6.0.3 see bellow
set radius-group-match
"fmg_faz_admins" <- only users
belonging to this group will be able to login * (command updated since versions
5.6.6 / 6.0.3 see below)
next
end
* If not configured, all users on the RADIUS server will be able to login to FMG/FAZ and will receive access to adom "EMPTY" and permissions defined by profileid "none"
Note: FortiManager/FortiAnalyzer up to version 5.6.3 allows only one wildcard user account. As of versions 5.6.4 / 6.0.0 , multiple wildcard administrators can be configured.
Note: As of versions
5.6.6 / 6.0.3 the admin user CLI syntax was changed as follows:
set
radius-accprofile-override => set ext-auth-accprofile-override
set radius-adom-override =>
set ext-auth-adom-override
set radius-group-match =>
set ext-authgroup-match
RADIUS side configuration:
The examples below are added mostly to explain the logic of the FMG/FAZ config and may differ depending on the specific server version.
For further details please refer to the technical documentation of the RADIUS server vendor.
The following part of the VSA dictionary is used with FMG/FAZ:
VENDOR Fortinet 12356For a complete list of Fortinet RADIUS attributes please refer to Technical Note: Fortinet RADIUS attribute.
ATTRIBUTE Fortinet‐Group‐Name 1 string
ATTRIBUTE Fortinet‐Vdom‐Name 3 string
ATTRIBUTE Fortinet‐Access‐Profile 6 string
1. FortiAuthenticator (5.2)
This example includes local users that were created beforehand. For more details, please refer to the FortiAuthenticator Administration Guide.
Create new client for FortiManager:
Create the group allowing authentication to FMG/FAZ.
Add the “Fortinet-Group-Name” attribute with value “fmg_faz_admins”.
Select the users that will have FMG/FAZ access.
Modify the users in order to assign the access profiles and ADOM permissions, as defined above:
- user1 – “read-write” permissions for all sections of ADOMs “TEST1” and “TEST2”
- user2 – “read-only” permissions for all sections of ADOM “TEST2”
Test and refer to the Troubleshooting section below in case of issues.
2. FreeRADIUS
2.1. Add client configuration for the FMG/FAZ (etc/raddb/clients.conf or /etc/freeradius/clients.conf)#2.2. Verify that the following attributes are defined in the “dictionary.fortinet” file (/usr/local/share/freeradius/dictionary.fortinet)
client fmg_faz {
ipaddr = 10.5.28.95
secret = 123456789
}
##
VENDOR Fortinet 12356
#
BEGIN‐VENDOR Fortinet
#
ATTRIBUTE Fortinet‐Group‐Name 1 string
ATTRIBUTE Fortinet‐Vdom‐Name 3 string
ATTRIBUTE Fortinet‐Access‐Profile 6 string
#
END‐VENDOR FortinetThese are the attributes used in FMG/FAZ.2.3. Add the line below to the master dictionary (/etc/raddb/dictionary or /etc/freeradius/dictionary)
If the same server will be used with other Fortinet products, the full list of RADIUS attributes is available under Technical Note: Fortinet RADIUS attribute.#2.4. Set the RADIUS attributes in the “users” file (/etc/raddb/users or /etc/freeradius/users)
$INCLUDE /usr/share/freeradius/dictionary.fortinet
##2.5. Test and refer to the Troubleshooting section below in case of issues.
user1 Auth-Type = Local, Password := “1user234567”
Fortinet-Access-Profile = “read-write”
Fortinet-Vdom-Name = “TEST1”
Fortinet-Vdom-Name += “TEST2” <---- # For multiple attributes of the same type, after the first one, use the operator “+=” to add the value to the reply items
Fortinet-Group‐Name = “fmg_faz_admins”
.
.
#
user2 Auth-Type = Local, Password := “2user345678”
Fortinet-Access-Profile = “read-only”
Fortinet-Vdom-Name = “TEST2”
Fortinet-Group‐Name = “fmg_faz_admins”
.
.
#
3. Windows server 2016
In NPS the VSAs are defined in the Network Policies, where the conditions can contain only group match (not single user).
The test scenario can be configured in different ways, but for this demonstration 4 groups* will be used:
- fmg_faz_RW
- fmg_faz_RO
- fmg_faz_TEST1
- fmg_faz_TEST2
*There is no need to actually configure the common “fmg_faz_admins” group in AD. It can be assigned only as VSA in the policies matching these 4 groups.
user1 – Member Of - fmg_faz_RW, fmg_faz_TEST1 and fmg_faz_TEST2
user2 – Member Of - fmg_faz_RO and fmg_faz_TEST2
3.1. Create new RADIUS Client to allow the FMG/FAZ to access the server
3.2. Create a "Network Policy" to "Grant Access" R/W to both TEST1 and TEST2 ADOMs
Note: The groups should be configured as separate conditions of type "Windows Groups" or "User Groups".
3.3. Open the policy properties -> Settings -> Vendor Specific -> Add…
3.4. In "Vendor" -> Custom. Then under "Attributes" -> Vendor specific -> Add…
3.5. In the "Attribute Information" dialog box -> Add…
3.6. In "Specify network access server vendor", choose "Enter Vendor Code", type "12356", and select "Yes, it conforms" to the RADIUS RFC
-> Configure Attribute…
3.7. For the "group-match" attribute configure:
- Attribute number = 1 (meaning “Fortinet‐Group‐Name”)
- Attribute Format = String
- Value = “fmg_faz_admins” (exactly matching the group defined in step 4 of the FMG/FAZ configuration)
-> OK -> OK
3.8. Add the attributes for the admin profile:
-> Add…:
- Attribute number = 6 (meaning “Fortinet‐Access‐Profile”)
- Attribute Format = String
- Value = “read-write” (exactly matching the admin profile defined in step 2 of the FMG/FAZ configuration)
-> OK -> OK
-> Add…:
- Attribute number = 3 (meaning “Fortinet‐Vdom‐Name”)
- Attribute Format = String
- Value = “TEST1” (exactly matching the ADOM name)
-> OK -> OK
-> Add…:
- Attribute number = 3 (meaning “Fortinet‐Vdom‐Name”)
- Attribute Format = String
- Value = “TEST2” (exactly matching the second ADOM name)
-> OK -> OK
At this point the "Attribute Information" dialog should be looking like this:
-> OK -> OK, then proceed with the next policy.
3.9. Create a "Network Policy" to "Grant Access" R/O to TEST2 ADOM
Note: The groups should be configured as separate conditions of type "Windows Groups" or "User Groups"
3.10. Repeat the steps from 2.3. to 2.8 but adding different attributes according to the policy purpose.
For this task, we’ll need the following attributes:
-> Add… the attribute for the group:
- Attribute number = 1 (meaning “Fortinet‐Group‐Name”)
- Attribute Format = String
- Value = “fmg_faz_admins” (exactly matching the group defined in step 4 of the FMG/FAZ configuration)
-> OK -> OK.
-> Add… the next attribute for the admin profile:
- Attribute number = 6 (meaning “Fortinet‐Access‐Profile”)
- Attribute Format = String
- Value = “read-only” (exactly matching the admin profile defined in step 2 of the FMG/FAZ configuration)
-> OK -> OK.
-> Add… the next attribute for the admin profile:
- Attribute number = 3 (meaning “Fortinet‐Vdom‐Name”)
- Attribute Format = String
- Value = “TEST2” (exactly matching the ADOM name)
-> OK -> OK.
At this point the "Attribute Information" dialog should be looking like this:
-> OK -> OK.
3.11. Test and refer to the Troubleshooting section below in case of issues.
Troubleshooting
The following CLI commands are used for troubleshooting admin login issues on FortiManager/FortiAnalyzer:
# diag debug application fnbam 255Since version 6.4.5.
# diag debug enable
# diagnose debug application auth 8When done, don’t forget to reset and disable the debug:
# diagnose debug en
# diag debug resetOutput Samples:
# diag debug disable
All OK:
fam_authenticate_user: User 'user1' not found - using wildcard templateGroup mismatch:
fnbamd_fsm.c[1070] handle_req-Rcvd auth req 762642432 for user1 in fac.test.lab opt=29 prot=9
fnbamd_radius.c[871] fnbamd_radius_auth_send-Sent radius req to 10.109.19.6: code=1 id=12 len=90 user="user1" using CHAP
fnbamd_radius.c[247] extract_private_attrs- adom 'TEST1'
fnbamd_radius.c[247] extract_private_attrs- adom 'TEST2'
fnbamd_auth.c[1332] fnbamd_auth_handle_result-->Result for radius svr 10.109.19.6(0) is 0
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 762642432
fam_authenticate_user: remote authentication succeeded
__resolve_admin_prof: apply admin prof override: 'read-write'
fam_authenticate_user: User 'user3' not found - using wildcard template
fnbamd_fsm.c[1070] handle_req-Rcvd auth req 1338179584 for user3 in fac.triton.lab opt=29 prot=9
fnbamd_radius.c[871] fnbamd_radius_auth_send-Sent radius req to 10.109.19.6: code=1 id=19 len=89 user="user3" using CHAP
fnbamd_auth.c[1332] fnbamd_auth_handle_result-->Result for radius svr 10.109.19.6(0) is 0
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1338179584
only admin belongs to group 'fmg_faz_admins' can login
fam_authenticate_user: remote authentication failed/incomplete, rc=1
The string under “set radius-group-match” doesn’t match the value of from the RADIUS server.Admin profile mismatch:
GUI returns error: “Authentication failure. Please try again...”
fam_authenticate_user: User 'user1' not found - using wildcard templateADOM name mismatch:
fnbamd_fsm.c[1070] handle_req-Rcvd auth req 762642432 for user1 in fac.test.lab opt=29 prot=9
fnbamd_radius.c[871] fnbamd_radius_auth_send-Sent radius req to 10.109.19.6: code=1 id=12 len=90 user="user1" using CHAP
fnbamd_radius.c[247] extract_private_attrs- adom 'TEST1'
fnbamd_radius.c[247] extract_private_attrs- adom 'TEST2'
fnbamd_auth.c[1332] fnbamd_auth_handle_result-->Result for radius svr 10.109.19.6(0) is 0
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 762642432
fam_authenticate_user: remote authentication succeeded
__resolve_admin_prof: ignore invalid admin prof override: 'read-write'
The RADIUS user is authenticated, but has no admin profile attribute, or it is set to a profile that doesn’t exist on FMG/FAZ.
The admin profile “none” is applied and the GUI returns a “No Permission” error after login (the older versions may display blank page instead of error).
fam_authenticate_user: User 'user1' not found - using wildcard template
fnbamd_fsm.c[1070] handle_req-Rcvd auth req 1309736960 for user1 in fac.triton.lab opt=29 prot=9
fnbamd_radius.c[871] fnbamd_radius_auth_send-Sent radius req to 10.109.19.6: code=1 id=18 len=89 user="user1" using CHAP
fnbamd_radius.c[243] extract_private_attrs- adom 'TEST1' skipped: not exist
fnbamd_radius.c[243] extract_private_attrs- adom 'TEST2' skipped: not exist
fnbamd_auth.c[1332] fnbamd_auth_handle_result-->Result for radius svr 10.109.19.6(0) is 0
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1309736960
fam_authenticate_user: remote authentication succeeded
__resolve_admin_prof: apply admin prof override: 'read-write'
The RADIUS user is authenticated, but has no VDOM/ADOM attribute or there is no such ADOM on FMG/FAZ.
So the user is routed to ADOM “EMPTY” and assigned admin profile 'read-write'.
