DescriptionIn version 6.0.3 the parameter
radius-accprofile-override has been
changed to
ext-auth-accprofile-override, the behavior has also changed.
Until version 6.0.2 if the setting radius-accprofile-override is enabled for a
wildcard user associated to a particular profile and user tries to log in, if the
VSA Fortinet-Access-Profile value sent by the radius server doesn’t match any profile configured on the FortiManager/FortiAnalayzer then this user is allowed to login with the profile defined for the wildcard user.
Since version 6.0.3 this is not possible anymore, access is denied.
Scopeconfig system admin profileedit "Test_User" endconfig system admin useredit "RadiusUser" set profileid "Test_User" set adom "root" set user_type radius set radius_server "TestRadius" set wildcard enable set ext-auth-accprofile-override enable (radius-accprofile-override with 6.0.2)endWith this config the user will actually have no permissions, but the purpose is just to show that pre v6.0.3 they are able to log in, in v6.0.3 access is denied.
On the Radius server configure a user for example “bob” with the
VSA Fortinet-Access-Profile = "read-write".SolutionIf you run the following trace you the output is different according to the version:
diag debug enable
diag debug application fnbam 255
v6.0.2 : user logged in
# fam_authenticate_user: User 'bob' not found - using wildcard template
fnbamd_fsm.c,1080,handle_req: Rcvd auth req 854654976 user=bob opt=100 prot=9
add_one_radius: TestRadius
fnbamd_radius.c,866,fnbamd_radius_auth_send: Sent radius req to 10.5.21.135: code=1 id=5 len=80 user="bob" using CHAP
fnbamd_radius.c,244,extract_private_attrs: adom 'root'
fnbamd_auth.c,1294,fnbamd_auth_handle_result: ->Result for radius svr 10.5.21.135(0) is 0
fnbamd_comm.c,117,fnbamd_comm_send_result: Sending result 0 for req 854654976
matched wildcard template: TestRadius -> RadiusUser
fam_authenticate_user: remote authentication succeeded
__resolve_admin_prof: ignore invalid admin prof override: 'read-write'
v6.0.3 : access denied
# fam_authenticate_user: User 'bob' not found - using wildcard template
fnbamd_fsm.c,1080,handle_req: Rcvd auth req 68747264 user=bob opt=100 prot=9
add_one_radius: TestRadius
fnbamd_radius.c,864,fnbamd_radius_auth_send: Sent radius req to 10.5.21.135: code=1 id=0 len=80 user="bob" using CHAP
fnbamd_radius.c,242,extract_private_attrs: adom 'root'
fnbamd_auth.c,1294,fnbamd_auth_handle_result: ->Result for radius svr 10.5.21.135(0) is 0
fnbamd_comm.c,117,fnbamd_comm_send_result: Sending result 0 for req 68747264
matched wildcard template: TestRadius -> RadiusUser
fam_authenticate_user: remote authentication succeeded
__resolve_admin_prof: invalid override profile: read-write
Related Articles
Technical Tip: Configure RADIUS for authentication and authorization in FortiManager and FortiAnalyz...
