Role Based Access Control
In Role Based Access Control (RBAC), network administrators and users have varying levels of access to network resources based on their role, and that role’s requirement for access specific resources. For example, a junior accountant does not require access to the sales presentations, or network user account information.
There are three main parts to RBAC: role assignment, role authorization, and transaction authorization. Role assignment is accomplished when someone in an organization is assigned a specific role by a manager or HR. Role authorization is accomplished when a network administrator creates that user’s RADIUS account and assigns them to the required groups for that role. Transaction authorization occurs when that user logs on and authenticates before performing a task.
RBAC is enforced when FortiOS network users are remotely authenticated via a RADIUS server. For users to authenticate, a security policy must be matched. That policy only matches a specific group of users. If VDOMs are enabled, the matched group will be limited to a specific VDOM. Using this method network administrators can separate users into groups that match resources, protocols, or VDOMs. It is even possible to limit users to specific FortiGate units if the RADIUS servers serve multiple FortiOS units.
For more information on security policies, see Authentication in security policies on page 502.
Configuring the FortiGate unit to use a RADIUS server
The information you need to configure the FortiGate unit to use a RADIUS server includes
- the RADIUS server’s domain name or IP address
- the RADIUS server’s shared secret key.
You can optionally specify the NAS IP or Called Station ID. When configuring the FortiGate to use a RADIUS server, the FortiGate is a Network Access Server (NAS). If the FortiGate interface has multiple IP addresses, or you want the RADIUS requests to come from a different address you can specify it here. Called Station ID applies to carrier networks. However, if the NAS IP is not included in the RADIUS configuration, the IP of the FortiGate unit interface that communicates with the RADIUS server is used instead.
A maximum of 10 remote RADIUS servers can be configured on the FortiGate unit. One or more servers must be configured on FortiGate before remote users can be configured. To configure remote users, see Local and remote users on page 475.
On the FortiGate unit, the default port for RADIUS traffic is 1812. Some RADIUS servers use port 1645. If this is the case with your server, you can either:
- Re-configure the RADIUS server to use port 1812. See your RADIUS server documentation for more information on this procedure.
or
- Change the FortiGate unit default RADIUS port to 1645 using the CLI:
config system global set radius-port 1645
end
One wildcard admin account can be added to the FortiGate unit when using RADIUS authentication. This uses the wildcard character to allow multiple admin accounts on RADIUS to use a single account on the FortiGate unit. See Example — wildcard admin accounts – CLI on page 462.
To configure the FortiGate unit for RADIUS authentication – web-based manager:
1. Go to User & Device > Authentication > RADIUS Servers and select Create New.
2. Enter the following information and select OK.
Name A name to identify the RADIUS server on the FortiGate unit.
Primary Server Name/IP Enter the domain name (such as fgt.exmaple.com) or the IP address of the RADIUS server.
Primary Server Secret Enter the server secret key, such as radiusSecret. This can be a maximum of 16 characters long.
This must match the secret on the RADIUS primary server.
Secondary Server Name/IP Optionally enter the domain name (such as fgt.exmaple.com) or the IP address of the secondary RADIUS server.
Secondary Server Secret Optionally, enter the secondary server secret key, such as radiusSecret2.
This can be a maximum of 16 characters long.
This must match the secret on the RADIUS secondary server.
Authentication Scheme If you know the RADIUS server uses a specific authentication protocol, select it from the list. Otherwise select Use Default Authentication Scheme. The Default option will usually work.
NAS IP/ Called
Station ID
Enter the IP address to be used as an attribute in RADIUS access requests.
NAS–IP–Address is RADIUS setting or IP address of FortiGate interface used to talk to RADIUS server, if not configured.
Called Station ID is same value as NAS-IP Address but in text format.
Include in every User
Group
When enabled this RADIUS server will automatically be included in all user groups. This is useful if all users will be authenticating with the remote RADIUS server.
3. Select OK.
For MAC OS and iOS devices to authenticate, you must use MS-CHAP-v2 authen- tication. In the CLI, the command is set auth-type ms_chap_v2.