EN 
 
www.SAMURAJ-cz.com 
30.11.2025 Ondřej WELCOME IN MY WORLD
 
 
Petr Bouška
SAMURAJ-cz.com
IT Manager OKsystem
Veeam Vanguard
View profile

This website is originally written in the Czech language. Most content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
FortiGate autentizace RADIUS, skupiny a MS NPS

FortiGate RADIUS authentication, groups and MS NPS

| Petr Bouška - Samuraj |
The article builds on the previous descriptions of user authentication and adds authentication against an external RADIUS server. We can also use it for users in the Microsoft domain (Active Directory Domain Services), for example for authentication to SSL VPN. Let's take a brief look at the Network Policy Server (NPS) configuration. Mainly on the way to transfer information about the user's inclusion in the group.
displayed: 14 081x (6 301 CZ, 7 780 EN) | Comments [3]

Note: The description in the article is based on a FortiGate FG-300E with FortiOS version 6.2.8. It is configured as a FGCP cluster and uses VDOM.

Authentication on a RADIUS server

Similarly to how we can authenticate users against an LDAP server, we can also use RADIUS. We can, for example, authenticate users of an Active Directory domain using the Microsoft Network Policy Server (NPS). We can place all authenticated users in a single remote group. Or, similar to the case of LDAP, we can assign users to a specific group based on data from the RADIUS server.

Defining a RADIUS server

  • (VDOM) > User & Device > RADIUS Servers

We create a new RADIUS server by clicking the Create New button.

  • Name - name the server on the FortiGate
  • Authentication method - using Specify we can select the method to use, Default tries them all in succession
  • NAS IP - the Network Access Server IP is the address of the FortiGate from which it connects to the RADIUS, if left blank, the address of the interface that communicates with the RADIUS server will be used, if filled in, it will also be inserted into the Called-Station-ID (Called Station Identifier) and NAS-IP-Address (NAS IPv4 Address) attributes of the request sent
  • Include in every user group - if enabled, the RADIUS server will be included in all user groups
  • IP/Name - enter the IP address or FQDN of the RADIUS server
  • Secret - enter the shared secret (Shared Secret), also referred to as the Pre-Shared Key (PSK), which is set on the RADIUS server and is used for authentication, maximum 16 characters (the GUI documentation states, but the CLI does not specify)
FortiGate RADIUS Servers

For testing, we can use the buttons

  • Test Connectivity - tests the connection to the RADIUS server, tries to authenticate the user test01 (it doesn't matter if the authentication fails, but the entire process is verified)
  • Test User Connectivity - enter the user's login credentials and the authentication on the RADIUS server will be performed, the server's response (returned attributes) will also be displayed

Note: I couldn't find information on whether it's better for redundancy to define two separate RADIUS servers, or to use one and specify it as both the Primary Server and Secondary Server.

Additional configuration using the CLI

Various other parameters can be defined in the CLI. For example, by default, port 1812 is used for the server. If our RADIUS server uses a different port, like 1645, we need to set it.

config user radius
  edit <name>
    set radius-port 1645
  next
end

There is an option here that I was looking for with the LDAP server. If we are using VDOM, by default the communication goes out from the current VDOM, but we can change it to send from the management VDOM. We don't need to create a policy to allow communication with the RADIUS.

    set use-management-vdom enable

The command line also has other items for outgoing communication settings that I didn't try, source-ip and interface-select-method.

Creating a group that includes a remote group from RADIUS

  • (VDOM) > User & Device > User Groups

We create a group (Create New) of type Firewall

  • under Remote Groups click Add
  • select our created RADIUS server (Remote Server)
  • if we leave the Group as Any, all authenticated accounts on this RADIUS server will be members of this group
  • or choose Specify and enter the group name (there can be multiple) that RADIUS sends in the Fortinet-Group-Name attribute
FortiGate User Groups - RADIUS

Multiple RADIUS servers

If we have multiple RADIUS servers, we can add them all to the group and select the same group on them. This will ensure higher availability. We can even combine remote servers of different types. If we have an LDAP server defined and want to switch to RADIUS, we can simply add the RADIUS to the existing group. Then we won't be able to tell from the group name where the user was authenticated. If we create a new group (for a different authentication type), it will have a different name.

Multiple authentication mechanisms

If we have multiple authentication mechanisms defined, they are tried in the order POP3, RADIUS, TACACS+, LDAP, local users. The first successful authentication is used and the group assignment is based on it.

So if we have a group created with a source via LDAP and another via RADIUS, and both groups are set in the VPN (in the configuration and FW policy), the RADIUS one will be used first. If everything is fine, the RADIUS group will always be returned when logging into the VPN, and the LDAP one won't be reached.

Vendor Specific Attribute (VSA)

The group name is passed from the RADIUS server to the FortiGate using the RADIUS Vendor Specific Attribute (VSA). Fortinet Vendor ID is 12356. List of Fortinet attributes (VSA Directory) Technical Tip: Fortinet RADIUS attribute. The one we are interested in is

ATTRIBUTE   Fortinet-Group-Name                           1 string

Troubleshooting (debug) RADIUS

We can try to authenticate by entering the user's name and password against the defined server. Using the GUI in the RADIUS server edit and the Test User Connectivity button. Or using the CLI command.

diagnose test authserver radius <RADIUS server_name> <authentication method> <username> <password>

Example

FW1 (FWINT) # diagnose test authserver radius RADIUS mschap2 bouska Heslo
authenticate 'bouska' against 'mschap2' succeeded, server=primary assigned_rad_session_id=228953860 session_timeout=0 secs
 idle_timeout=0 secs!
Group membership(s) - G VPN 1

We can also directly verify (without defining the server) using CLI.

diagnose test authserver radius-direct <name or IP> <port number> <secret> <authentication method> <username> <password>

Example

FW1 (FWINT) # diagnose test authserver radius-direct 192.168.10.10 1812 PSK mschap2 bouska Heslo
RADIUS server '192.168.10.10' status is OK
Access-Accept
AVP: l=17 t=Vendor-Specific(26) v=Fortinet(12356)
VSA: l=11 t=Fortinet-Group-Name(1)
Value: 'G VPN 1'
...

To troubleshoot issues, it's a good idea to enable debug mode for Remote user authentication (fnbamd is the Fortinet non-blocking authentication daemon). This applies to a number of authentication methods (not just RADIUS), so we may get a lot of output.

diagnose debug application fnbamd -1
diagnose debug console timestamp enable
diagnose debug enable

Example of selected lines from the output

__fnbamd_rad_send-Sent radius req to server 'RADIUS': fd=14, IP=192.168.10.10(192.168.10.10:1812) code=1 id=49 len=186
 user="bouska" using MS-CHAPv2
fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
extract_success_vsas-FORTINET attr, type 1, val G VPN 1
fnbamd_auth_handle_radius_result-->Result for radius svr 'RADIUS' 192.168.10.10(1) is 0
fnbamd_radius_group_match-Passed group matching

The final value of 0 means authentication success, 1 would be authentication failed.

To disable debug mode, we can use

diagnose debug disable
diagnose debug reset

Microsoft Network Policy Server (NPS)

Just a brief description of setting up Microsoft NPS as a RADIUS server for FortiGate.

  • RADIUS Clients and Servers - RADIUS Clients - we create a FortiGate client, enter the name, address, Shared Secret
  • Connection Request Policies - the default Use Windows authentication for all users may be sufficient for us

Network Policies

The main part is creating one or more (for different groups) Network Policies. Only the main options are mentioned here.

  • Policies - Network Policies - New
  • Overview - Policy Enabled, Grant Access
  • Conditions - add a condition
    • Client Friendly Name - name of the defined RADIUS Client
    • Windows Groups - find the required group in the AD DS
  • Constraints - choose Authentication Methods
  • Settings - Vendor Specific - Add
Network Policy Server - Network Policies - Vendor Specific 1

Vendor Specific Attribute

In the policy, we need to create a VSA and enter the group name.

  • in the list, find the attribute named Vendor-Specific and add Add
  • add a value by clicking Add
  • enter Enter Vendor Code 12356
  • check Yes. It conforms
  • click Configure Attributes
  • number 1, format String, value group name
Network Policy Server - Network Policies - Vendor Specific 2
Author:

Related articles:

Fortinet FortiGate and more

Fortinet security solutions. Mostly focused on the Next Generation Firewall (NGFW) FortiGate. Configuration of FW, policies, NAT, but also VPN and authentication options. Marginally working with logs using FortiAnalyzer and with clients using FortiClient EMS.

Security

Security tools. Primarily Firewall and the like.

If you want write something about this article use comments.

Comments
  1. [1] SH

    Docela by mne zajímalo, jestli existuje nějaká možnost, jak ověřit běžný uživatelský počítač na RADIUS serveru, aniž by bylo nutné konfigurovat 802.1X na straně L2 přepínače?

    Dle všeho se zdá, že nikoliv, tak mám jako proof-of-concept nachystaný vlastní RSSO agent pro Fortinet v C# jako náhradu za nespolehlivé FSSO, ale šéfovi se to moc nezamlouvá, že je to nějaké nestandardní udělátko a raději by měl nasazené něco, co je běžně k dispozici...

    Monday, 19.07.2021 14:03 | answer
  2. [2] mat22

    respond to [1]SH:

    Ahoj, tak co třeba Forticlineta na koncové stanici zapojeneého přes EMS server (nastavit si profil a politiky/pravidla) a propojen s Fortigate a přes policy omezit přístupy do jiných segmentů sítě. Lze i dynamickými tagy.

    Tuesday, 20.07.2021 19:58 | answer
  3. [3] Honza K.

    Pokud je zapnutá direktiva "Include in every user group", tak vzdálený RADIUS se nepropíše explicitně do už existujících skupin (a správce si toho nevšimne), ale i přesto se Fortigate pak odvolává i na RADIUS, přestože je skupina vázaná na LDAP.

    Pozor také na dřívější (negativní) odpověď LDAP nebo RADIUS. Pokud existuje účet duplicitně, nebo je např. na RADIUS zakázán, bude zamítnuto i přihlášení, protože o pár milisekund dříve dorazila negativní přihlašovací informace od RADIUS, než od LDAP - Fortigate při ověřování posílá žádosti na LDAP i RADIUS současně.

    Tedy - mám-li na FG definován LDAP i RADIUS, určitě tohle nezapínat, přidělá to hodně starostí.

    Friday, 16.09.2022 15:44 | answer
Add comment

Insert tag: strong em link

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)