Authentication servers

Role Based Access Control

In Role Based Access Control (RBAC), network administrators and users have varying levels of access to network resources based on their role, and that role’s requirement for access specific resources. For example, a junior accountant does not require access to the sales presentations, or network user account information.

There are three main parts to RBAC: role assignment, role authorization, and transaction authorization. Role assignment is accomplished when someone in an organization is assigned a specific role by a manager or HR. Role authorization is accomplished when a network administrator creates that user’s RADIUS account and assigns them to the required groups for that role. Transaction authorization occurs when that user logs on and authenticates before performing a task.

RBAC is enforced when FortiOS network users are remotely authenticated via a RADIUS server. For users to authenticate, a security policy must be matched. That policy only matches a specific group of users. If VDOMs are enabled, the matched group will be limited to a specific VDOM. Using this method network administrators can separate users into groups that match resources, protocols, or VDOMs. It is even possible to limit users to specific FortiGate units if the RADIUS servers serve multiple FortiOS units.

For more information on security policies, see Authentication in security policies on page 502.

 

Configuring the FortiGate unit to use a RADIUS server

The information you need to configure the FortiGate unit to use a RADIUS server includes

  • the RADIUS server’s domain name or IP address
  • the RADIUS server’s shared secret key.

You can optionally specify the NAS IP or Called Station ID. When configuring the FortiGate to use a RADIUS server, the FortiGate is a Network Access Server (NAS). If the FortiGate interface has multiple IP addresses, or you want the RADIUS requests to come from a different address you can specify it here. Called Station ID applies to carrier networks. However, if the NAS IP is not included in the RADIUS configuration, the IP of the FortiGate unit interface that communicates with the RADIUS server is used instead.

A maximum of 10 remote RADIUS servers can be configured on the FortiGate unit. One or more servers must be configured on FortiGate before remote users can be configured. To configure remote users, see Local and remote users on page 475.

On the FortiGate unit, the default port for RADIUS traffic is 1812. Some RADIUS servers use port 1645. If this is the case with your server, you can either:

  • Re-configure the RADIUS server to use port 1812. See your RADIUS server documentation for more information on this procedure.

or

  • Change the FortiGate unit default RADIUS port to 1645 using the CLI:

config system global set radius-port 1645

end

 

One wildcard admin account can be added to the FortiGate unit when using RADIUS authentication. This uses the wildcard character to allow multiple admin accounts on RADIUS to use a single account on the FortiGate unit. See Example — wildcard admin accounts – CLI on page 462.

To configure the FortiGate unit for RADIUS authentication – web-based manager:

1. Go to User & Device > Authentication > RADIUS Servers and select Create New.

2. Enter the following information and select OK.

Name                                           A name to identify the RADIUS server on the FortiGate unit.

Primary Server Name/IP           Enter the domain name (such as fgt.exmaple.com) or the IP address of the RADIUS server.

Primary Server Secret               Enter the server secret key, such as radiusSecret. This can be a maximum of 16 characters long.

This must match the secret on the RADIUS primary server.

 

Secondary Server Name/IP      Optionally enter the domain name (such as fgt.exmaple.com) or the IP address of the secondary RADIUS server.

 

Secondary Server Secret         Optionally, enter the secondary server secret key, such as radiusSecret2.

This can be a maximum of 16 characters long.

This must match the secret on the RADIUS secondary server.

 

Authentication Scheme If you know the RADIUS server uses a specific authentication protocol, select it from the list. Otherwise select Use Default Authentication Scheme. The Default option will usually work.

NAS IP/ Called

Station ID

Enter the IP address to be used as an attribute in RADIUS access requests.

NASIPAddress is RADIUS setting or IP address of FortiGate interface used to talk to RADIUS server, if not configured.

Called Station ID is same value as NAS-IP Address but in text format.

Include in every User

Group

When enabled this RADIUS server will automatically be included in all user groups. This is useful if all users will be authenticating with the remote RADIUS server.

3. Select OK.

 

For MAC OS and iOS devices to authenticate, you must use MS-CHAP-v2 authen- tication. In the CLI, the command is set auth-type ms_chap_v2.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.