AnsweredHot!Can't connect to Forti authenticator as RADIUS server

Author
AlexHelloworld
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/01 17:51:13
  • Status: offline
2019/09/25 05:30:54 (permalink)
0

Can't connect to Forti authenticator as RADIUS server

Hi i have installed FortiAuthenticator and setted it up as Radius server according to Cookbok.
trying to connect to it from Fortigate, and i can't, got error.
It is successfuly get users from LDAP server, everything cool.
I have scanned ports from outside - RADIUS port closed, but it is opened on FORTIGATE, i mean policies ALLOWED everything to this Fortiaythenticator and everything from it.
Ssh, ping, everything works fine.
Anybody knows how to troubleshoot it? Radius doesnt works :(
Thank you!
#1
xsilver
Expert Member
  • Total Posts : 458
  • Scores: 103
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Location: EMEA
  • Status: offline
Re: Can't connect to Forti authenticator as RADIUS server 2019/09/25 06:00:05 (permalink) ☼ Best Answerby AlexHelloworld 2019/09/25 18:49:18
5 (1)
Hi,
have a look to https://<your-fac/debug/ to have a look to RADIUS debug.
Packet capture should also help, at least to see if you get any response to Access-Request sent from FGT.
My guess is that you have no response from FortiAuthenticator (FAC) because you have missed to set or misconfigured GUI > Authentication > RADIUS Service > Clients .. so FAC is not even responding to unknown client (your FGT).
If you do have NAT/route traffic from FGT to FAC, then check (packet capture on FAC) with which IP FGT Access-Request came into your FAC.

Kind Regards,
Tomas
#2
AlexHelloworld
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/01 17:51:13
  • Status: offline
Re: Can't connect to Forti authenticator as RADIUS server 2019/09/25 18:49:01 (permalink)
0
xsilver
Hi,
have a look to https://<your-fac/debug/ to have a look to RADIUS debug.
Packet capture should also help, at least to see if you get any response to Access-Request sent from FGT.
My guess is that you have no response from FortiAuthenticator (FAC) because you have missed to set or misconfigured GUI > Authentication > RADIUS Service > Clients .. so FAC is not even responding to unknown client (your FGT).
If you do have NAT/route traffic from FGT to FAC, then check (packet capture on FAC) with which IP FGT Access-Request came into your FAC.


Thanks mate, yeah realy that, it is from debug:
2019-09-26T09:33:57.139846+08:00 BH-FORTIAUTH-01 radiusd[16273]: Ignoring request to authentication address * port 1812 from unknown client 192.168.XX.XX port 16743


#3
AlexHelloworld
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/01 17:51:13
  • Status: offline
Re: Can't connect to Forti authenticator as RADIUS server 2019/09/25 18:50:51 (permalink)
0
xsilver
Hi,
have a look to https://<your-fac/debug/ to have a look to RADIUS debug.
Packet capture should also help, at least to see if you get any response to Access-Request sent from FGT.
My guess is that you have no response from FortiAuthenticator (FAC) because you have missed to set or misconfigured GUI > Authentication > RADIUS Service > Clients .. so FAC is not even responding to unknown client (your FGT).
If you do have NAT/route traffic from FGT to FAC, then check (packet capture on FAC) with which IP FGT Access-Request came into your FAC.




It is Offtop, but could you advice me please - i have users from LDAP, there is local realm configured and have no possibility to add LDAP realm. Should i sync it from remote to local or it will be work with remote users?
#4
xsilver
Expert Member
  • Total Posts : 458
  • Scores: 103
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Location: EMEA
  • Status: offline
Re: Can't connect to Forti authenticator as RADIUS server 2019/09/26 01:01:10 (permalink)
0
AlexHelloworld
2019-09-26T09:33:57.139846+08:00 BH-FORTIAUTH-01 radiusd[16273]: Ignoring request to authentication address * port 1812 from unknown client 192.168.XX.XX port 16743

 
That's it! Clearly stating that there is no respective Client config in RADIUS Service and so FortiAuthenticator is simply dropping Access-Request (which is expected by design, so we are not leaking out any responses that there is something missing).
 

Kind Regards,
Tomas
#5
xsilver
Expert Member
  • Total Posts : 458
  • Scores: 103
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Location: EMEA
  • Status: offline
Re: Can't connect to Forti authenticator as RADIUS server 2019/09/26 01:10:14 (permalink)
0
AlexHelloworld
I have users from LDAP, there is local realm configured and have no possibility to add LDAP realm. Should i sync it from remote to local or it will be work with remote users?

 
If you do have LDAP Remote Auth. Server defined, then have a look to GUI > Authentication > User Management > Realms
and there you can bond your LDAP to Realm to be able to use it in RADIUS Client later on.
It is defined locally on FortiAuthenticator (FAC), has nothing to do with Kerberos Realm in AD, and therefore realm on FAC can not be synced. But users can be synced via Remote User Sync Rules and so authenticated via Realm bonded to LDAP they came through.

Kind Regards,
Tomas
#6
Nytro
New Member
  • Total Posts : 9
  • Scores: 1
  • Reward points: 0
  • Joined: 2019/07/23 12:44:34
  • Status: offline
Re: Can't connect to Forti authenticator as RADIUS server 2019/09/26 06:17:37 (permalink)
4 (1)
On FAC: Assuming you have already imported your users from remote LDAP, create a user group. add those users to the group. Create a RADIUS client. This is your fortigate. on the bottom right, turn on the 'Groups' filter and add the user group you created with the remote LDAP users. Select the realm. The realm should be your AD realm name that the remote LDAP users are a part of, and is binded to the LDAP server (AD) in your config.
On your fortigate, configure the RADIUS server (the FAC). Then create a user group. There will be no local members. SElect remote groups, choose the RADIUS server you just created, and for groups, type in the group name you created on the FAC with the LDAP users. Type case must be an exact match. Go back to 'RADIUS server' section and test connectivity using an AD credential of a member in the group you created on the FAC. 

Cheers!
Noel
#7
xsilver
Expert Member
  • Total Posts : 458
  • Scores: 103
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Location: EMEA
  • Status: offline
Re: Can't connect to Forti authenticator as RADIUS server 2019/10/01 06:07:14 (permalink)
5 (1)
Good summary (4* credit), except for necessity to have group name exactly same.
Referring to: "and for groups, type in the group name you created on the FAC with the LDAP users. Type case must be an exact match."
 
As if your intention is to do RADIUS Group Match .. 
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36464

Then what is the group membership checked on FGT against, is NOT a group name as on FAC (it could be whatever else), but additional RADIUS attribute added either to user, but in this case rather to group (and inherited to all group members).
And that RADIUS AVP I'm talking about is Fortinet-Group-Name.
In short, RADIUS AVP is what FGT is looking for and not a name of group on FAC.
 

Kind Regards,
Tomas
#8
Jump to:
© 2019 APG vNext Commercial Version 5.5