Authentication servers
FortiGate units support the use of external authentication servers. An authentication server can provide password checking for selected FortiGate users or it can be added as a member of a FortiGate user group.
If you are going to use authentication servers, you must configure the servers before you configure FortiGate users or user groups that require them.
This section includes the following topics:
l FortiAuthenticator servers l RADIUS servers l LDAP servers l TACACS+ servers l POP3 servers l SSO servers l RSA ACE (SecurID) servers
FortiAuthenticator servers
FortiAuthenticator is an Authentication, Authorization, and Accounting (AAA) server, that includes a RADIUS server, an LDAP server, and can replace the FSSO Collector Agent on a Windows AD network. Multiple FortiGate units can use a single FortiAuthenticator for FSSO, remote authentication, and FortiToken management.
For more information, see the FortiAuthenticator Administration Guide.
RADIUS servers
Remote Authentication and Dial-in User Service (RADIUS) is a broadly supported client-server protocol that provides centralized authentication, authorization, and accounting functions. RADIUS clients are built into gateways that allow access to networks such as Virtual Private Network servers, Network Access Servers (NAS), as well as network switches and firewalls that use authentication. FortiGate units fall into the last category.
RADIUS servers use UDP packets to communicate with the RADIUS clients on the network to authenticate users before allowing them access to the network, to authorize access to resources by appropriate users, and to account or bill for those resources that are used. RADIUS servers are currently defined by RFC 2865 (RADIUS) and RFC 2866 (Accounting), and listen on either UDP ports 1812 (authentication) and 1813 (accounting) or ports 1645 (authentication) and 1646 (accounting) requests. RADIUS servers exist for all major operating systems.
You must configure the RADIUS server to accept the FortiGate unit as a client. FortiGate units use the authentication and accounting functions of the RADIUS server.
FortiOS does not accept all characters from auto generated keys from MS Windows 2008. These keys are very long and as a result RADIUS authentication will not work. Maximum key length for MS Windows 2008 is 128 bytes. In older versions of FSAE, it was 40 bytes.
Microsoft RADIUS servers
Microsoft Windows Server 2000, 2003, and 2008 have RADIUS support built-in. Microsoft specific RADIUS features are defined in RFC 2548. The Microsoft RADIUS implementation can use Active Directory for user credentials.
For details on Microsoft RADIUS server configurations, refer to Microsoft documentation.
RADIUS user database
The RADIUS user database is commonly an SQL or LDAP database, but can also be any combination of:
l usernames and passwords defined in a configuration file l user account names and passwords configured on the computer where the RADIUS server is installed.
If users are members of multiple RADIUS groups, then the user group authentication timeout value does not apply. See Membership in multiple groups on page 69.
RADIUS authentication with a FortiGate unit
To use RADIUS authentication with a FortiGate unit l configure one or more RADIUS servers on the FortiGate unit l assign users to a RADIUS server
When a configured user attempts to access the network, the FortiGate unit will forward the authentication request to the RADIUS server which will match the username and password remotely. Once authenticated the RADIUS server passes the authorization granted message to the FortiGate unit which grants the user permission to access the network.
The RADIUS server uses a “shared secret” key along with MD5 hashing to encrypt information passed between RADIUS servers and clients, including the FortiGate unit. Typically only user credentials are encrypted. Additional security can be configured through IPsec tunnels by placing the RADIUS server behind another VPN gateway.
RADIUS attribute value pairs
RADIUS packets include a set of attribute value pairs (AVP) to identify information about the user, their location and other information. The FortiGate unit sends the following RADIUS attributes.
FortiOS supported RADIUS attributes
| RADIUS
Attribute |
Name | Description | AVP
type |
| 1 | Acct-Session-ID | Unique number assigned to each start and stop record to make it easy to match them, and to eliminate duplicate records. | 44 |
| 2 | Username | Name of the user being authenticated | 1 |
| 3 | NAS-Identifier | Identifier or IP address of the Network Access Server (NAS) that is requesting authentication. In this case, the NAS is the FortiGate unit. | 32 |
| 4 | Framed-IP-Address | Address to be configured for the user. | 8 |
| 5 | Fortinet-VSA | See Vendor-specific attributes on page 32 | 26 |
| 6 | Acct-Input-Octets | Number of octets received from the port over the course of this service being provided.
Used to charge the user for the amount of traffic they used. |
42 |
| 7 | Acct-Output-Octets | Number of octets sent to the port while delivering this service.
Used to charge the user for the amount of traffic they used. |
43 |
| 8 | NAS-IP-Address | IP address of the Network Access Server (NAS) that is requesting authentication. In this case, the NAS is the FortiGate unit. | 4 |
| 9 | Called-Station-Id | Used to send the telephone number the user called as part of the Access-Request packet. | 30 |
| 10 | Framed-IP-Address | IP address to be configured for the user, by sending the IP address of a user to the RADIUS server in the Access-Request packet. | 8 |
| 11 | Event-Timestamp | Records the time that the event occurred on the NAS. The timestamp is measured in seconds since January 1, 1970 00:00 UTC.
Before the Event-Timestamp attribute can be sent in a packet, make sure that the correct time is set on the FortiGate. |
55 |
| 12 | Class | Used in accounting packets and requests for firewall, WiFi, and proxy authentication. The attribute is returned in Access-Access message and is added to all accounting packets. | 25 |
The following table describes the supported authentication events and the RADIUS attributes that are sent in the RADIUS accounting message.
RADIUS attributes sent in RADIUS accounting message
| RADIUS Attributes | |||||||
| Authentication Method | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| Web | X | X | X | X | |||
| XAuth of IPsec (without
DHCP) |
X | X | X | X | |||
| XAuth of IPsec (with DHCP) | X | X | X | X | X | ||
| PPTP/L2TP (in PPP) | X | X | X | X | X | X | X |
| SSL-VPN | X | X | X | X | X | ||
External captive portal POST message
In external RADIUS captive portal, the captive portal web page is a script that gathers the user’s logon credentials and sends it back to the FortiGate as a POST message. Session URL parameters are sent from the client in a POST messages, and in the redirect. These parameters are separated by & characters (see examples below):
POST message to redirect server:
http://<redirectserver>/index2.php/?login&post=http://192.168.200.1:1000/fgtau th&magic=02050f889bc21644&usermac=54:26:96:16:a2:45&apmac=00:09:0f:b9:f4:c0&ap ip=127.0.0.1&userip=192.168.200.2
POST message back to the FortiGate: http://FGT_IP_addr:1000/fgtauth
The magic text data, provided in the initial FortiGate request to the web server, contains the username, password paramaters:
magic=00050c839182f095&username=<username>&password=<password>
Vendor-specific attributes
Vendor specific attributes (VSA) are the method RADIUS servers and client companies use to extend the basic functionality of RADIUS. Some major vendors, such as Microsoft, have published their VSAs, however many do not.
In order to support vendor-specific attributes (VSA), the RADIUS server requires a dictionary to define which VSAs to support. This dictionary is typically supplied by the client or server vendor.
The Fortinet RADIUS vendor ID is 12356.
The FortiGate unit RADIUS VSA dictionary is supplied by Fortinet and is available through the Fortinet Knowledge Base (http://kb.forticare.com) or through Technical Support. Fortinet’s dictionary for FortiOS 4.0 and up is configured this way:
##
Fortinet’s VSA’s
#
VENDOR fortinet 12356
BEGIN-VENDOR fortinet
ATTRIBUTE Fortinet-Group-Name 1 string
ATTRIBUTE Fortinet-Client-IP-Address 2 ipaddr
ATTRIBUTE Fortinet-Vdom-Name 3 string
ATTRIBUTE Fortinet-Client-IPv6-Address 4 octets
ATTRIBUTE Fortinet-Interface-Name 5 string
ATTRIBUTE Fortinet-Access-Profile 6 string
#
# Integer Translations
#
END-VENDOR Fortinet
Note that using the Fortinet-Vdom-Name, users can be tied to a specific VDOM on the FortiGate unit. See the documentation provided with your RADIUS server for configuration details.
RADIUS CoA support
As of FortiOS 5.4, RADIUS Change of Authorization (CoA) settings can be configured via the CLI. CoA is a common feature in user authentication that provides the ability to change authentication attributes for sessions even after they have authenticated.
User, user group, and captive portal authentication supports RADIUS CoA, when the back end authentication server is RADIUS. The main use case of this feature is with external captive portal, where it can be used to disconnect hotspot users when their time, credit, or bandwidth has been used up.
The commands below control CoA settings.
- Set the name of the FortiAP connected to the FortiGate as a location identifier.
config system global set alias <name>
- Set URL of external authentication logout server.
config vdom edit root config wireless-controller vap edit <example> set security captive-portal set external-logout
- Set URL of external authentication logout server config vdom edit root config system interface edit <example> set security captive-portal set security-external-logout
- Set class name(s) included in an Access-Accept message.
config vdom edit root config user radius edit accounting set class <“A1=aaa” “B2=bbb” “C3=ccc”>
Role Based Access Control
In Role Based Access Control (RBAC), network administrators and users have varying levels of access to network resources based on their role, and that role’s requirement for access specific resources. For example, a junior accountant does not require access to the sales presentations, or network user account information.
There are three main parts to RBAC: role assignment, role authorization, and transaction authorization. Role assignment is accomplished when someone in an organization is assigned a specific role by a manager or HR. Role authorization is accomplished when a network administrator creates that user’s RADIUS account and assigns them to the required groups for that role. Transaction authorization occurs when that user logs on and authenticates before performing a task.
RBAC is enforced when FortiOS network users are remotely authenticated via a RADIUS server. For users to authenticate, a security policy must be matched. That policy only matches a specific group of users. If VDOMs are enabled, the matched group will be limited to a specific VDOM. Using this method network administrators can separate users into groups that match resources, protocols, or VDOMs. It is even possible to limit users to specific FortiGate units if the RADIUS servers serve multiple FortiOS units.
For more information on security policies, see Authentication in security policies on page 83.
RADIUS password encoding
Certain RADIUS servers use ISO-8859-1 password encoding instead of others such as UTF-8. In these instances, the server will fail to authenticate the user, if the user’s password is using UTF-8.
CLI syntax
config user radius edit <example> set password-encoding <auto | ISO-8859-1>
end
This option will be skipped if the auth-type is neither auto nor pap.