Configuring a RADSEC client
FortiOS supports RADSEC clients in order to secure the communication channel over TLS for all RADIUS traffic, including RADIUS authentication and RADIUS accounting over port 2083. A FortiGate acting as a TLS client can initiate the TLS handshake with a remote RADIUS server. Administrators can specify a client certificate, perform a server identity check (enabled by default), and verify against a particular trust anchor (CA certificate). During a TLS handshake, the SNI check will use the RADIUS server FQDN if configured.
TCP connections are also supported, which use port 1812 for authentication and port 1813 for accounting.
config user radius edit <name> set transport-protocol {udp | tcp | tls} set ca-cert <string> set client-cert <string> set tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2} set server-identity-check {enable | disable} next end
transport-protocol {udp | tcp | tls} |
Set the type of transport protocol to use:
|
ca-cert <string> |
Set the CA certificate of server to trust under TLS. |
client-cert <string> |
Set the client certificate to use under TLS. |
tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2} |
Set the minimum supported protocol version for TLS connections:
|
server-identity-check {enable | disable} |
Enable/disable RADIUS server identity check, which verifies the server domain name/IP address against the server certificate (default = enable). |
It is best practice to enable RADSEC over TLS whenever the FortiGate and RADIUS connection must pass through unencrypted transport. When using TCP and UDP transport modes, it is recommended to ensure the FortiGate and RADIUS connection passes through a trusted network or the connection passes through an encrypted tunnel over untrusted networks. |
Examples
The following topology is used to demonstrate configurations using RADSEC over TLS and RADIUS over TCP.
Example 1: RADSEC over TLS
When using TLS, FortiOS uses port 2083 for RADIUS authentication and RADIUS accounting. There is no need to configure the RADIUS accounting separately.
Before configuring RADSEC over TLS, make sure that the CA certificate (which issues the remote RADIUS server certificate) is imported into the FortiGate trusted root store. If a customized local FortiGate client certificate is used, both the certificate and private key are imported into local FortiGate certificate store.
To configure RADSEC over TLS:
-
Configure the RADIUS server:
config user radius edit "radius-tls" set server "10.1.100.41" set secret ******** set acct-interim-interval 600 set radius-port 2083 set auth-type pap set transport-protocol tls set ca-cert "CA_Cert_2" set client-cert "portal.fortinet-fsso" config accounting-server edit 1 set status enable set server "10.1.100.41" set secret ******** next end next end
-
Enable fnbamd debug messages on the FortiGate to verify the RADIUS authentication triggered by client traffic requesting access to external networks, which requires user authentication by the firewall policy. Note the highlighted initial RADSEC TLS authentication, successfully completed TLS handshake, and RADIUS accounting using TLS over port 2083:
# diagnose debug application fnbamd -1 Debug messages will be on for 30 minutes. # diagnose debug enable ... [629] __fnbamd_cfg_add_radius_by_user- [1726] fnbamd_match_and_update_auth_user-Found a matching user in CMDB 'test1' [462] fnbamd_rad_get-vfid=0, name='radius-tls' [635] __fnbamd_cfg_add_radius_by_user-Loaded RADIUS server 'radius-tls' for user 'test1' (16777236) [905] fnbamd_cfg_get_radius_list-Total rad servers to try: 1 ... [806] __fnbamd_rad_get_next_addr-Next available address of rad 'radius-tls': 10.1.100.41:2083. [981] __auth_ctx_start-Connection starts radius-tls:10.1.100.41, addr 10.1.100.41:2083 proto: TCP over TLS [449] __rad_tcps_open-vfid 0, addr 10.1.100.41, src_ip (null), ssl_opt 1284 ... [618] create_auth_session-Total 1 server(s) to try [1772] handle_req-r=4 [418] __rad_tcps_connect-tcps_connect(10.1.100.41) is established. [716] __rad_rxtx-fd 10, state 1(Auth) ... [565] fnbamd_rad_make_access_request- [329] __create_access_request-Compose RADIUS request [549] __create_access_request-Created RADIUS Access-Request. Len: 139. ... [963] __auth_ctx_svr_push-Added addr 10.1.100.41:2083 from rad 'radius-tls' [806] __fnbamd_rad_get_next_addr-Next available address of rad 'radius-tls': 10.1.100.41:2083. [981] __auth_ctx_start-Connection starts radius-tls:10.1.100.41, addr 10.1.100.41:2083 proto: TCP over TLS [449] __rad_tcps_open-vfid 0, addr 10.1.100.41, src_ip (null), ssl_opt 1284 [481] __rad_tcps_open-Server identity check is enabled. [495] __rad_tcps_open-Still connecting 10.1.100.41. ... [1393] create_acct_session-Acct type 6 session created, 0x9827960 [418] __rad_tcps_connect-tcps_connect(10.1.100.41) is established. [716] __rad_rxtx-fd 10, state 4(Acct) ... [956] fnbamd_rad_make_acct_request- [905] __create_acct_request-Compose RADIUS request [944] __create_acct_request-Created RADIUS Acct-Request. Len: 129. [572] __rad_tcps_send-Sent 129/129. [574] __rad_tcps_send-Sent all. Total 129. [749] __rad_rxtx-Sent radius req to server 'radius-tls': fd=10, IP=10.1.100.41(10.1.100.41:2083) code=4 id=33 len=123 [758] __rad_rxtx-Start rad conn timer. ...
Example 2: RADIUS over TCP
When using TCP, the default RADIUS ports remain same as with UDP: 1812 for authentication and 1813 for accounting.
To configure RADIUS over TCP:
-
Configure the RADIUS server:
config user radius edit "radius-tcp" set server "10.1.100.41" set secret ******** set acct-interim-interval 600 set transport-protocol tcp config accounting-server edit 1 set status enable set server "10.1.100.41" set secret ******** next end next end
-
Enable fnbamd debug messages on the FortiGate to verify the RADIUS authentication triggered by client traffic requesting access to external networks, which requires user authentication by the firewall policy. Note the highlighted initial RADIUS authentication over TCP: 1812 and initial RADIUS accounting over TCP: 1813:
# diagnose debug application fnbamd -1 Debug messages will be on for 30 minutes. # diagnose debug enable ... [806] __fnbamd_rad_get_next_addr-Next available address of rad 'radius-tcp': 10.1.100.41:1812. [981] __auth_ctx_start-Connection starts radius-tcp:10.1.100.41, addr 10.1.100.41:1812 proto: TCP [449] __rad_tcps_open-vfid 0, addr 10.1.100.41, src_ip (null), ssl_opt 0 ... [1772] handle_req-r=4 [418] __rad_tcps_connect-tcps_connect(10.1.100.41) is established. [716] __rad_rxtx-fd 10, state 1(Auth) ... [565] fnbamd_rad_make_access_request- [329] __create_access_request-Compose RADIUS request [549] __create_access_request-Created RADIUS Access-Request. Len: 139. [572] __rad_tcps_send-Sent 139/139. [574] __rad_tcps_send-Sent all. Total 139. [749] __rad_rxtx-Sent radius req to server 'radius-tcp': fd=10, IP=10.1.100.41(10.1.100.41:1812) code=1 id=40 len=139 [758] __rad_rxtx-Start rad conn timer. ... [806] __fnbamd_rad_get_next_addr-Next available address of rad 'radius-tcp': 10.1.100.41:1813. [981] __auth_ctx_start-Connection starts radius-tcp:10.1.100.41, addr 10.1.100.41:1813 proto: TCP [449] __rad_tcps_open-vfid 0, addr 10.1.100.41, src_ip (null), ssl_opt 0 ... [1393] create_acct_session-Acct type 6 session created, 0x982b280 [418] __rad_tcps_connect-tcps_connect(10.1.100.41) is established. [716] __rad_rxtx-fd 10, state 4(Acct) ... [574] __rad_tcps_send-Sent all. Total 129. [749] __rad_rxtx-Sent radius req to server 'radius-tcp': fd=10, IP=10.1.100.41(10.1.100.41:1813) code=4 id=41 len=123 [758] __rad_rxtx-Start rad conn timer. ...