Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kaspervb
New Contributor

FreeRADIUS authentication for admins.

Hi all,

 

I  am trying to configure freeRADIUS authentication for my admin users (for SSL-VPN it already works fine).

TCP dump on freeRADIUS server:

13:37:01.644817 IP (tos 0x0, ttl 64, id 25529, offset 0, flags [DF], proto UDP (17), length 123)
_gateway.18643 > freeradius.radius: [udp sum ok] RADIUS, length: 95
Access-Request (1), id: 0x18, Authenticator: ff42014eccec17e98bcac1d64831295e
NAS-Identifier Attribute (32), length: 14, Value: FG-PlanetTen
0x0000: 4647 2d50 6c61 6e65 7454 656e
User-Name Attribute (1), length: 8, Value: Kasper
0x0000: 4b61 7370 6572
CHAP-Password Attribute (3), length: 19, Value:
0x0000: da2d 1f86 6bb3 8a73 b7d3 0447 5420 f4f7
0x0010: cc
NAS-Port-Type Attribute (61), length: 6, Value: Virtual
0x0000: 0000 0005
Acct-Session-Id Attribute (44), length: 10, Value: 337797f9
0x0000: 3333 3737 3937 6639
Connect-Info Attribute (77), length: 6, Value: test
0x0000: 7465 7374
Vendor-Specific Attribute (26), length: 12, Value: Vendor: Unknown (12356)
Vendor Attribute: 3, Length: 4, Value: root
0x0000: 0000 3044 0306 726f 6f74
13:37:01.648991 IP (tos 0x0, ttl 64, id 5016, offset 0, flags [none], proto UDP (17), length 101)
freeradius.radius > _gateway.18643: [bad udp cksum 0x1536 -> 0x7ca3!] RADIUS, length: 73
Access-Accept (2), id: 0x18, Authenticator: 5fa8ccf058121adf70590c06276d9d82
Vendor-Specific Attribute (26), length: 23, Value: Vendor: Unknown (12356)
Vendor Attribute: 1, Length: 15, Value: Firewall_Admins
0x0000: 0000 3044 0111 4669 7265 7761 6c6c 5f41
0x0010: 646d 696e 73
Vendor-Specific Attribute (26), length: 18, Value: Vendor: Unknown (12356)
Vendor Attribute: 6, Length: 10, Value: prof_admin
0x0000: 0000 3044 060c 7072 6f66 5f61 646d 696e
Vendor-Specific Attribute (26), length: 12, Value: Vendor: Unknown (12356)
Vendor Attribute: 3, Length: 4, Value: root
0x0000: 0000 3044 0306 726f 6f74

 

freeRADIUS debug log:

rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.29-0ubuntu0.18.04.1, protocol version 10
(3) [sql] = ok
(3) [expiration] = noop
(3) [logintime] = noop
(3) pap: WARNING: Auth-Type already set. Not setting to PAP
(3) [pap] = noop
(3) } # authorize = ok
(3) Found Auth-Type = CHAP
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Auth-Type CHAP {
(3) chap: Comparing with "known good" Cleartext-Password
(3) chap: CHAP user "Kasper" authenticated successfully
(3) [chap] = ok
(3) } # Auth-Type CHAP = ok
(3) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(3) post-auth {
(3) update {
(3) No attributes updated
(3) } # update = noop
(3) sql: EXPAND .query
(3) sql: --> .query
(3) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (10)
(3) sql: EXPAND %{User-Name}
(3) sql: --> Kasper
(3) sql: SQL-User-Name set to 'Kasper'
(3) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(3) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'Kasper', '0xda2d1f866bb38a73b7d304475420f4f7cc', 'Access-Accept', '2020-03-31 13:37:01')
(3) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'Kasper', '0xda2d1f866bb38a73b7d304475420f4f7cc', 'Access-Accept', '2020-03-31 13:37:01')
(3) sql: SQL query returned: success
(3) sql: 1 record(s) updated
rlm_sql (sql): Released connection (10)
(3) [sql] = ok
(3) [exec] = noop
(3) policy remove_reply_message_if_eap {
(3) if (&reply:EAP-Message && &reply:Reply-Message) {
(3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(3) else {
(3) [noop] = noop
(3) } # else = noop
(3) } # policy remove_reply_message_if_eap = noop
(3) } # post-auth = ok
(3) Sent Access-Accept Id 24 from 10.4.0.203:1812 to 10.4.0.1:18643 length 0
(3) Fortinet-Group-Name = "Firewall_Admins"
(3) Fortinet-Access-Profile = "prof_admin"
(3) Fortinet-Vdom-Name = "root"
(3) Finished request
Waking up in 4.9 seconds.
(3) Cleaning up request packet ID 24 with timestamp +708
And lastly, Fortigate log:
FG-PlanetTen $ diagnose test authserver radius freeRADIUS chap Kasper ******
[2254] handle_req-Rcvd auth req 863475705 for Kasper in freeRADIUS opt=0000001d prot=1
[406] __compose_group_list_from_req-Group 'freeRADIUS'
[615] fnbamd_pop3_start-Kasper
[539] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'freeRADIUS'
[305] fnbamd_create_radius_socket-Opened radius socket 15
[305] fnbamd_create_radius_socket-Opened radius socket 16
[1338] fnbamd_radius_auth_send-Compose RADIUS request
[1305] fnbamd_rad_dns_cb-10.4.0.203->10.4.0.203
[1280] __fnbamd_rad_send-Sent radius req to server 'freeRADIUS': fd=15, IP=10.4.0.203(10.4.0.203:1812) code=1 id=24 len=95 user="Kasper" using CHAP
[282] radius_server_auth-Timer of rad 'freeRADIUS' is added
[565] create_auth_session-Total 1 server(s) to try
[2515] fnbamd_auth_handle_radius_result-Timer of rad 'freeRADIUS' is deleted
[1742] fnbamd_radius_auth_validate_pkt-Invalid digest
[2531] fnbamd_auth_handle_radius_result-Error validating radius rsp
[2921] handle_auth_rsp-Error (5) for req 863475705
[181] fnbamd_comm_send_result-Sending result 5 (error 0, nid 0) for req 863475705
authenticate 'Kasper' against 'chap' failed, assigned_rad_session_id=863475705 session_timeout=0 secs idle_timeout=0 secs!
[719] destroy_auth_session-delete session 863475705

 

 

So, freeradius & packetcapture actually shows accept-access response, so that looks fine to me.

However, for some reason Fortigate says authentication failed. 

I did perform a packet capture on Fortigate as well in order to determine whether the access-accept packet actually arrives there (which is the case, see attached picture).

 

If someone knows whats going wrong and could explain it to me I would appreciate it a lot!

 

1 REPLY 1
kaspervb
New Contributor

Nevermind. I just fixed it... I changed the shared secret and had forgotten to restart freeRADIUS server so the shared secret DB wasn't reloaded yet.... 

Labels
Top Kudoed Authors