FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anthony_E
Community Manager
Community Manager
Article Id 191186

Description
This article describes why SSL VPN with remote authentication for LDAP also sends authentication requests to Radius server also.

Explanation.

SSL VPN authentication rule configuration:

 

# config vpn ssl settings
# config authentication-rule

    edit 1
        set groups "Fortinet_group"
        set portal "Tunnel_access"
        set auth ldap
    next
end
end

 

In the above configuration, the authentication method is configured as LDAP.
The requests for authentication should only be going to LDAP server.

When checking the debugs, the requests are forwarded to Radius server also.

 

# diagnose debug reset
# diagnose debug console timestamp enable
# diagnose debug application fnbamd -1
# diagnose debug en


__fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'radius-server’ (all_usergroup enabled)
__fnbamd_rad_send-Sent radius req to server 'radius-server’ : fd=16, IP=10.1.1.2(10.1.1.2:1812) code=1 id=74 len=120 user="vpn-test" using PAP

 

The first line indicates that that radius authentication is enabled for all user groups  configured on FortiGate.

Solution
Check the Radius configuration:

 

# config user radius
    edit "radius-server"
        set server "10.1.1.2"
        set secret ENC xx
        set all-usergroup enable
        set source-ip "172.20.4.9"
        set secondary-server "10.1.1.3"
        set secondary-secret ENC xx
    next
end

 

In the above config, all-usergroup is enabled. This tells the FortiGate to include this RADIUS server in any user groups specified in the FortiGate. As a result, this RADIUS server will either be used alongside or be the only authentication server to be used for any user authentication when connecting to the SSLVPN tunnel.

 

Here is the explanation based on the CLI output when typing set all-usergroup ?:


disable    Do not automatically include this server in a user group.
enable     Include this RADIUS server in every user group.

 

Disable it to avoid unnecessary requests being sent to Radius server.

After the change, authentication would only be done using the method defined under authentication rules for SSL VPN.
This can be verified using the following debugs:

 

# diagnose debug reset
# diagnose debug console timestamp enable
# diagnose debug application fnbamd -1
# diagnose debug en