How to set (VSA) vendor specific attributes on freradius config file ?

_forti · ‎07-10-2017

I am trying to setup FortiGate remote authentications via freeradius. I have configured FortiGate to redirect user credential to freeradius for authentication. This seems to work well. But when radius sends back accept message to FortiGate. Fortigate does not accept user to log in. When I check fotiGate log, it says that password in invalid. Here are Logs:

(0) Received Access-Request Id 22 from xx.xx.xx.251:22389 to xx.xx.xx.xx5:1812 length 106 (0) NAS-Identifier = "FGT30E3xxxxxxxxx" (0) User-Name = "myadmin" (0) User-Password = "admin" (0) NAS-Port-Type = Virtual (0) Acct-Session-Id = "0655cea5" (0) Connect-Info = "admin-login" (0) Fortinet-Vdom-Name = "root" (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "myadmin", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry myadmin at line 116 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 22 from xx.xx.xx.5:1812 to xx.xx.xx.x1:22389 length 0 (0) Fortinet-Group-Name = "RadiusGroups" (0) Fortinet-Access-Profile = "super_admin" (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 22 with timestamp +6843

fortigate Log:

General Date 07/10/2017 Time 13:42:13 Virtual Domain root Log Description Admin login failed Source IP xx.xx.xx.91 User myadmin Destination IP xx.xx.xx.251 Action Action login Status failed Reason passwd_invalid Security Level Event User Interface https(xx.xx.xx.91) Message Administrator myadmin login failed from https(xx.xx.xx.91) because of invalid password.

I think the issue has something to do with Vendor Specific Attribute (VAS). Basically, I have used [this][1] tutorial. I don't know if there is something obvious I am missing here. Does someone have experience implementing this?

here is my config file /etc/freeradius/3.0/users:

source

myadmin Cleartext-Password := "admin" 
        # Reply-Message := "Welcome, %{User-Name}", 
        # fortinet = "12356", 
        Fortinet-Group-Name = "RadiusGroups", 
       Fortinet-Access-Profile = "super_admin"

[1]: http://kb.fortinet.com/kb....do?externalID=FD36127