Fortigate VDOM Assignment through RADIUS

Posted by
Facebooktwitterredditpinterestlinkedintumblr

Issue: Fortinet Fortigate UTM has been setup for RADIUS authentication to allow remote administration for different levels of support staffs, customers and administrators. Also, VDOM assignment can be done through RADIUS (using RADIUS attribute – Fortinet-Vdom-Name) but this doesn’t work on FortiOS 5.x.

Platform: Fortinet Fortigate UTM running FortiOS 5.x.

Solution: From RADIUS logs, correct attributes are sent.

Thu Jun 19 13:40:09 2014: DEBUG: Handling request with Handler 'Realm=', Identifier ''
Thu Jun 19 13:40:09 2014: DEBUG: admin_session Deleting session for chill, 223.25.140.41,
Thu Jun 19 13:40:09 2014: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='223.25.140.41' and USERNAME='chill' and NASPORT='' and ACCTSESSIONID='0000004e'':
Thu Jun 19 13:40:09 2014: DEBUG: Handling with Radius::AuthSQL: admin_auth
Thu Jun 19 13:40:09 2014: DEBUG: Handling with Radius::AuthSQL: admin_auth
Thu Jun 19 13:40:09 2014: DEBUG: Query is: 'select ENCRYPTEDPASSWORD,REPLYATTR from RADACCOUNTS where USERNAME='chill' and (ACTIVE='Y' or ACTIVE = 'y')':
Thu Jun 19 13:40:09 2014: DEBUG: Radius::AuthSQL looks for match with chill [chill]
Thu Jun 19 13:40:09 2014: DEBUG: Radius::AuthSQL ACCEPT: : chill [chill]
Thu Jun 19 13:40:09 2014: DEBUG: AuthBy SQL result: ACCEPT,
Thu Jun 19 13:40:09 2014: DEBUG: Access accepted for chill
Thu Jun 19 13:40:09 2014: DEBUG: do query is: 'insert into RADAUTHLOG (TIME_STAMP, DATETIME, USERNAME, TYPE, REASON, IPADDRESS) values (1403149209,"2014-06-19 13:40:09",'chill',1,'Login Success',"223.25.140.41")':
Thu Jun 19 13:40:09 2014: DEBUG: Packet dump:
*** Sending to 223.25.140.41 port 1033 ....
Code: Access-Accept
Identifier: 77
Authentic: <175>W`#<245>><210><247><225>(<136>5<179><142><2>q
Attributes:
User-Service-Type = "Login-User"
Fortinet-Vdom-Name = "cctr_rapt"
Fortinet-Access-Profile = "prof_admin"

From Fortigate packet capture, attributes received successfully.

fortigate (cctr_cctr) # diagnose sniffer packet any 'port 1812' 3
interfaces=[any]
filters=[port 1812]

11.545025 123.29.240.4.1812 -> 223.25.140.41.1033: udp 73
0x0000 0000 0000 0000 0000 1e00 e203 0800 4500 ..............E.
0x0010 0065 0000 4000 3e11 9e1e df1d f004 df1d .e..@.>.........
0x0020 f029 0714 0409 0051 bf41 026c 0049 7348 .).....Q.A.l.IsH
0x0030 c7ce 860b b0c2 4aea 75eb 2292 3dbc 1a12 ......J.u.".=...
0x0040 0000 3044 070c 4c6f 6769 6e2d 5573 6572 ..0D..Login-User
0x0050 1a11 0000 3044 030b 6363 7472 5f72 6170 ....0D..cctr_rap
0x0060 741a 1200 0030 4406 0c70 726f 665f 6164 t....0D..prof_ad
0x0070 6d69 6e min

From Fortigate CLI RADIUS test it showed the correct assigned VDOM.

fortigate (cctr_cctr) # diagnose test authserver radius "RADIUS" pap chill password
authenticate 'chill' against 'pap' succeeded, server=primary assigned_rad_session_id=170 assigned_admin_profile=prof_admin session_timeout=0 secs!
assigned_vdom(s) - cctr_rapt

This issue has been reported to Fortinet TAC. They came back to me saying the issue was a bug in the Fortigate system code and pending bug fix.

Update: This issue has been fixed in FortiOS 5.2.1.

Leave a Reply

Your email address will not be published. Required fields are marked *

*