Hot!Radius user group mapping problem

Author
yugiohx
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/08/05 23:08:32
  • Status: offline
2018/08/05 23:15:42 (permalink)
0

Radius user group mapping problem

Hello everybody,
I have a Fortinet VM-64 (version v5.4.7,build6446 ) to provide SSLVPN service.
My customer provides a radius server for SSLVPN authentication.
But their radius server can't response group information when doing authentication.
So I create many account with radius on the VM-64, and mapping them with different group.
But there is a problem with group mapping.
When client use a account which exist in the radius server but doesn't exist in the VM-64 to login SSLVPN, it will login success and mapping to group for the first account in the account list.
For example:
-----------------
I have two account in the VM-64.
AAA in radius is group-X  (It's the first account in the list)
BBB in radius is group-Y

There are three account in the radius server.(Because the radius server is not only for SSLVPN)
AAA
BBB
CCC

When client use CCC to login SSLVPN, he will login success and mapping to group-X.
-------------------
Because different group have different access control list, so it will be a issue in security.
And it's strange to mapping a account which doesn't exist to a exist group.
It look like a vulnerability or program logic error in the authentication?
Could you kindly give me some suggestion to resolve it?
Thanks a lot : )
#1

14 Replies Related Threads

    xsilver_FTNT
    Expert Member
    • Total Posts : 392
    • Scores: 63
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: Radius user group mapping problem 2018/08/06 00:23:29 (permalink)
    0
    Hi,
    to be honest I do not understand your config.
    But if you do have SSLVPN bonded to firewall user group, which do contain (is bonded) to RADIUS server.
    Then login of CCC is authenticated against the RADIUS, not against your local user on FGVM-64 (as there is no CCC user).
    If you do mix local users and RADIUS bond in a single user group ... 
    config user group
    edit "SOME-GROUP"
    set member "AAA","BBB","RADIUS-SERVER"
     
    .. then local users like AAA or BBB are checked first (so if there is AAA user on RADIUS-SERVER it will not be checked as local AAA user exist and local users has preference).
    If there is no local user then anyone else will be passed and tried against RADIUS-SERVER .. and if server replies Access-Accept, then user is authenticated and allowed to pass through.
     
    If you do want to drive group membership for SSL and divide users into groups according to their presence on RADIUS server, then check RADIUS group match feature of FortiOS (similar feature is for LDAP).
    More on http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD36464
     

    Kind Regards,
    Tomas
    #2
    yugiohx
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/05 23:08:32
    • Status: offline
    Re: Radius user group mapping problem 2018/08/06 01:54:32 (permalink)
    0
    xsilver
    Hi,
    to be honest I do not understand your config.
    But if you do have SSLVPN bonded to firewall user group, which do contain (is bonded) to RADIUS server.
    Then login of CCC is authenticated against the RADIUS, not against your local user on FGVM-64 (as there is no CCC user).
    If you do mix local users and RADIUS bond in a single user group ... 
    config user group
    edit "SOME-GROUP"
    set member "AAA","BBB","RADIUS-SERVER"
     
    .. then local users like AAA or BBB are checked first (so if there is AAA user on RADIUS-SERVER it will not be checked as local AAA user exist and local users has preference).
    If there is no local user then anyone else will be passed and tried against RADIUS-SERVER .. and if server replies Access-Accept, then user is authenticated and allowed to pass through.
     
    If you do want to drive group membership for SSL and divide users into groups according to their presence on RADIUS server, then check RADIUS group match feature of FortiOS (similar feature is for LDAP).
    More on http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD36464
     


     
    Thanks for reply,and sorry for not description my config.
    In this situation,there is about 300 accounts on the radius, but just 50 accounts need SSLVPN.
    And for some reason, the radius server admin can't divide accounts by whether it need SSLVPN or not on the radius server.
    What I want to do is checking username and password by radius server, and mapping group by fortigate.
    So I config it on the fortigate like what I do on the Juniper SSLVPN.
    1.set a radius server
    2.create some group 
    3.create many accounts with radius,and mapping them to group.
     
     
    Is this config thinking not functional for fortigate?
    #3
    xsilver_FTNT
    Expert Member
    • Total Posts : 392
    • Scores: 63
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: Radius user group mapping problem 2018/08/06 04:57:19 (permalink)
    0
    Hi,
     
    if RADIUS admin can add AVP Fortinet-Group-Name into some specific user accounts it would be enough to divide them by use of RADIUS group match.
     
    If you are unable to convince RADIUS admin to change config, then what should work is:
    config user radius
    edit "RADIUS-SERVER"
    set server "10.10.10.69"
    set secret SuperSecretPassword
    next
    end
     
    config user local
    edit "userrad-1"
    set type radius
    set radius-server "RADIUS-SERVER"
    next
    end
     
    config user group
    edit "RADIUS-GRP"
    set member "userrad-1" "userrad-2"
    next
    end


    config vpn ssl settings
    ... other ssl settings you have
    config authentication-rule
    edit 1
    set groups "RADIUS-GRP"
    set portal "full-access"
    next
    end
    end

    Kind Regards,
    Tomas
    #4
    yugiohx
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/05 23:08:32
    • Status: offline
    Re: Radius user group mapping problem 2018/08/06 18:31:26 (permalink)
    0
    Hi,thanks for your reply.
    My config is set as your second solution.
    But it will come out a problem.
    For example:
     
    I have create only 2 users and 2 groups like above.
     
    config user local
    edit "userrad-1"
    set type radius
    set radius-server "RADIUS-SERVER"
    next
    end
     
    config user local
    edit "userrad-2"
    set type radius
    set radius-server "RADIUS-SERVER"
    next
    end

    config user group
    edit "RADIUS-GRP1"
    set member "userrad-1"
    next
    end
     
    config user group
    edit "RADIUS-GRP2"
    set member "userrad-2"
    next
    end
     
    But if there is userrad-3 on the radius server, Client can use userrad-3 to login SSLVPN, and be recognized as RADIUS-GRP1.
    That makes it looks like a security issue....
    #5
    xsilver_FTNT
    Expert Member
    • Total Posts : 392
    • Scores: 63
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: Radius user group mapping problem 2018/08/07 00:32:36 (permalink)
    0
    then what do you have in policies and SSL VPN settings for other groups ?

    Attached Image(s)


    Kind Regards,
    Tomas
    #6
    yugiohx
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/05 23:08:32
    • Status: offline
    Re: Radius user group mapping problem 2018/08/07 02:19:05 (permalink)
    0
    Thanks for reply.
    All other group can only web-access in my config.
    But before that, the userrad-3 can login as RADIUS-GRP1.....
    I don't have any config about userrad-3, so that I really don't what logic can fortigate do to let userrad-3 can login as RADIUS-GRP1.....
    #7
    yugiohx
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/05 23:08:32
    • Status: offline
    Re: Radius user group mapping problem 2018/08/14 00:18:46 (permalink)
    0
    Hello , is there any solution for this situation?
    Thanks: )
    #8
    pyy
    Bronze Member
    • Total Posts : 26
    • Scores: 2
    • Reward points: 0
    • Joined: 2015/10/21 10:57:48
    • Status: offline
    Re: Radius user group mapping problem 2018/08/27 13:05:09 (permalink)
    0
    Ask for a radius that can sent group replies ?
    #9
    yugiohx
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/05 23:08:32
    • Status: offline
    Re: Radius user group mapping problem 2018/08/27 18:12:43 (permalink)
    0
    Yes he can, but he can't set a sslvpn group for me.....
    #10
    zhunissov4
    Gold Member
    • Total Posts : 256
    • Scores: 24
    • Reward points: 0
    • Joined: 2015/10/12 04:00:01
    • Status: offline
    Re: Radius user group mapping problem 2018/08/27 21:21:46 (permalink)
    0
    Hello, 
     
    Did you specify Group-Name on FortiGate like:
    config user group
        edit "GROUP_RAD"
            set member "RAD"
                config match
                    edit 1
                        set server-name "RAD"
                        set group-name "GRP-one"
                    next
                end
        next
    end

     
    and Vendor Specific Attribute in the Radius Server Policy settings: 
     
    VENDOR Fortinet 12356
    BEGIN-VENDOR Fortinet
    ATTRIBUTE Fortinet-Group-Name 1 string
    ATTRIBUTE Fortinet-Client-IP-Address 2 ipaddr
    ATTRIBUTE Fortinet-Vdom-Name 3 string
    ATTRIBUTE Fortinet-Client-IPv6-Address 4 octets
    ATTRIBUTE Fortinet-Interface-Name 5 string
    ATTRIBUTE Fortinet-Access-Profile 6 string
     
    It is necessary to filter Radius server users-groups.
    #11
    emnoc
    Expert Member
    • Total Posts : 5115
    • Scores: 320
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Radius user group mapping problem 2018/08/27 21:41:20 (permalink)
    0
    Yes , I have to agree with the last pose VSA is what you want and if you have a RADIUS server that does not  recognize VSA than abandon it 
     
    FWIW here the  fortinet VSA
     
    http://kb.fortinet.com/kb/viewContent.do?externalId=FD36919&sliceId=1
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #12
    yugiohx
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/05 23:08:32
    • Status: offline
    Re: Radius user group mapping problem 2018/08/28 09:15:04 (permalink)
    0
    Thanks for reply: )
    I agree with the solution which if radius can reply group attribute.
    But the guys manage the radius is a senior engineer who don't like to change things.
    It's diffcult to ask him to editing about 200 account for me....Orz
    #13
    emnoc
    Expert Member
    • Total Posts : 5115
    • Scores: 320
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Radius user group mapping problem 2018/08/28 09:48:26 (permalink)
    0
    Changing the  user or use a Radius-aaS  like jumpcloud 
     
    Ken 

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #14
    yugiohx
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/05 23:08:32
    • Status: offline
    Re: Radius user group mapping problem 2018/08/30 01:44:40 (permalink)
    0
    Thank you for reply: )
    I can't agree you anymore.
    But the user is our customer.
    So that I think the user is more important than me. hahahahah
    #15
    Jump to:
    © 2019 APG vNext Commercial Version 5.5