Fortinet white logo
Fortinet white logo

Administration Guide

Configuring a RADSEC client

Configuring a RADSEC client

FortiOS supports RADSEC clients in order to secure the communication channel over TLS for all RADIUS traffic, including RADIUS authentication and RADIUS accounting over port 2083. A FortiGate acting as a TLS client can initiate the TLS handshake with a remote RADIUS server. Administrators can specify a client certificate, perform a server identity check (enabled by default), and verify against a particular trust anchor (CA certificate). During a TLS handshake, the SNI check will use the RADIUS server FQDN if configured.

TCP connections are also supported, which use port 1812 for authentication and port 1813 for accounting.

config user radius
    edit <name>
        set transport-protocol {udp | tcp | tls}
        set ca-cert <string>
        set client-cert <string>
        set tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}        
        set server-identity-check {enable | disable}
    next
end

transport-protocol {udp | tcp | tls}

Set the type of transport protocol to use:

  • udp: use UDP (default)
  • tcp: use TCP, but no TLS security
  • tls: use TLS over TCP

ca-cert <string>

Set the CA certificate of server to trust under TLS.

client-cert <string>

Set the client certificate to use under TLS.

tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the minimum supported protocol version for TLS connections:

  • default: follow the system global setting
  • SSLv3: use SSLv3
  • TLSv1: use TLSv1
  • TLSv1-1: use TLSv1.1
  • TLSv1-2: use TLSv1.2

server-identity-check {enable | disable}

Enable/disable RADIUS server identity check, which verifies the server domain name/IP address against the server certificate (default = enable).

Caution

It is best practice to enable RADSEC over TLS whenever the FortiGate and RADIUS connection must pass through unencrypted transport. When using TCP and UDP transport modes, it is recommended to ensure the FortiGate and RADIUS connection passes through a trusted network or the connection passes through an encrypted tunnel over untrusted networks.

Examples

The following topology is used to demonstrate configurations using RADSEC over TLS and RADIUS over TCP.

Example 1: RADSEC over TLS

When using TLS, FortiOS uses port 2083 for RADIUS authentication and RADIUS accounting. There is no need to configure the RADIUS accounting separately.

Before configuring RADSEC over TLS, make sure that the CA certificate (which issues the remote RADIUS server certificate) is imported into the FortiGate trusted root store. If a customized local FortiGate client certificate is used, both the certificate and private key are imported into local FortiGate certificate store.

To configure RADSEC over TLS:
  1. Configure the RADIUS server:

    config user radius
        edit "radius-tls"
            set server "10.1.100.41"
            set secret ********
            set acct-interim-interval 600
            set radius-port 2083
            set auth-type pap
            set transport-protocol tls
            set ca-cert "CA_Cert_2"
            set client-cert "portal.fortinet-fsso"
            config accounting-server
                edit 1
                    set status enable
                    set server "10.1.100.41"
                    set secret ********
                next
            end
        next
    end
  2. Enable fnbamd debug messages on the FortiGate to verify the RADIUS authentication triggered by client traffic requesting access to external networks, which requires user authentication by the firewall policy. Note the highlighted initial RADSEC TLS authentication, successfully completed TLS handshake, and RADIUS accounting using TLS over port 2083:

    # diagnose debug application fnbamd -1
    Debug messages will be on for 30 minutes.
    
    # diagnose debug enable
    ...
    [629] __fnbamd_cfg_add_radius_by_user-
    [1726] fnbamd_match_and_update_auth_user-Found a matching user in CMDB 'test1'
    [462] fnbamd_rad_get-vfid=0, name='radius-tls'
    [635] __fnbamd_cfg_add_radius_by_user-Loaded RADIUS server 'radius-tls' for user 'test1' (16777236)
    [905] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
    ...                                      
    [806] __fnbamd_rad_get_next_addr-Next available address of rad 'radius-tls': 10.1.100.41:2083.
    [981] __auth_ctx_start-Connection starts radius-tls:10.1.100.41, addr 10.1.100.41:2083 proto: TCP over TLS
    [449] __rad_tcps_open-vfid 0, addr 10.1.100.41, src_ip (null), ssl_opt 1284
    ...
    [618] create_auth_session-Total 1 server(s) to try
    [1772] handle_req-r=4
    [418] __rad_tcps_connect-tcps_connect(10.1.100.41) is established.  
    [716] __rad_rxtx-fd 10, state 1(Auth)
    ...
    [565] fnbamd_rad_make_access_request-
    [329] __create_access_request-Compose RADIUS request
    [549] __create_access_request-Created RADIUS Access-Request. Len: 139.
    ...
    [963] __auth_ctx_svr_push-Added addr 10.1.100.41:2083 from rad 'radius-tls'
    [806] __fnbamd_rad_get_next_addr-Next available address of rad 'radius-tls': 10.1.100.41:2083.
    [981] __auth_ctx_start-Connection starts radius-tls:10.1.100.41, addr 10.1.100.41:2083 proto: TCP over TLS
    [449] __rad_tcps_open-vfid 0, addr 10.1.100.41, src_ip (null), ssl_opt 1284
    [481] __rad_tcps_open-Server identity check is enabled.
    [495] __rad_tcps_open-Still connecting 10.1.100.41.
    ...
    [1393] create_acct_session-Acct type 6 session created, 0x9827960
    [418] __rad_tcps_connect-tcps_connect(10.1.100.41) is established.
    [716] __rad_rxtx-fd 10, state 4(Acct)
    ...
    [956] fnbamd_rad_make_acct_request-
    [905] __create_acct_request-Compose RADIUS request
    [944] __create_acct_request-Created RADIUS Acct-Request. Len: 129.
    [572] __rad_tcps_send-Sent 129/129.
    [574] __rad_tcps_send-Sent all. Total 129.
    [749] __rad_rxtx-Sent radius req to server 'radius-tls': fd=10, IP=10.1.100.41(10.1.100.41:2083) code=4 id=33 len=123
    [758] __rad_rxtx-Start rad conn timer.
    ...

Example 2: RADIUS over TCP

When using TCP, the default RADIUS ports remain same as with UDP: 1812 for authentication and 1813 for accounting.

To configure RADIUS over TCP:
  1. Configure the RADIUS server:

    config user radius
        edit "radius-tcp"
            set server "10.1.100.41"
            set secret ********
            set acct-interim-interval 600
            set transport-protocol tcp
            config accounting-server
                edit 1
                    set status enable
                    set server "10.1.100.41"
                    set secret ********
                next
            end
        next
    end
  2. Enable fnbamd debug messages on the FortiGate to verify the RADIUS authentication triggered by client traffic requesting access to external networks, which requires user authentication by the firewall policy. Note the highlighted initial RADIUS authentication over TCP: 1812 and initial RADIUS accounting over TCP: 1813:

    # diagnose debug application fnbamd -1
    Debug messages will be on for 30 minutes.
    
    # diagnose debug enable
    ...
    
    [806] __fnbamd_rad_get_next_addr-Next available address of rad 'radius-tcp': 10.1.100.41:1812.
    [981] __auth_ctx_start-Connection starts radius-tcp:10.1.100.41, addr 10.1.100.41:1812 proto: TCP
    [449] __rad_tcps_open-vfid 0, addr 10.1.100.41, src_ip (null), ssl_opt 0
    ...
    [1772] handle_req-r=4
    [418] __rad_tcps_connect-tcps_connect(10.1.100.41) is established.
    [716] __rad_rxtx-fd 10, state 1(Auth)
    ...
    [565] fnbamd_rad_make_access_request-
    [329] __create_access_request-Compose RADIUS request
    [549] __create_access_request-Created RADIUS Access-Request. Len: 139.
    [572] __rad_tcps_send-Sent 139/139.
    [574] __rad_tcps_send-Sent all. Total 139.
    [749] __rad_rxtx-Sent radius req to server 'radius-tcp': fd=10, IP=10.1.100.41(10.1.100.41:1812) code=1 id=40 len=139
    [758] __rad_rxtx-Start rad conn timer.
    ...
    [806] __fnbamd_rad_get_next_addr-Next available address of rad 'radius-tcp': 10.1.100.41:1813.
    [981] __auth_ctx_start-Connection starts radius-tcp:10.1.100.41, addr 10.1.100.41:1813 proto: TCP
    [449] __rad_tcps_open-vfid 0, addr 10.1.100.41, src_ip (null), ssl_opt 0
    ...
    [1393] create_acct_session-Acct type 6 session created, 0x982b280
    [418] __rad_tcps_connect-tcps_connect(10.1.100.41) is established.
    [716] __rad_rxtx-fd 10, state 4(Acct)
    ...
    [574] __rad_tcps_send-Sent all. Total 129.
    [749] __rad_rxtx-Sent radius req to server 'radius-tcp': fd=10, IP=10.1.100.41(10.1.100.41:1813) code=4 id=41 len=123
    [758] __rad_rxtx-Start rad conn timer.
    ...

Configuring a RADSEC client

Configuring a RADSEC client

FortiOS supports RADSEC clients in order to secure the communication channel over TLS for all RADIUS traffic, including RADIUS authentication and RADIUS accounting over port 2083. A FortiGate acting as a TLS client can initiate the TLS handshake with a remote RADIUS server. Administrators can specify a client certificate, perform a server identity check (enabled by default), and verify against a particular trust anchor (CA certificate). During a TLS handshake, the SNI check will use the RADIUS server FQDN if configured.

TCP connections are also supported, which use port 1812 for authentication and port 1813 for accounting.

config user radius
    edit <name>
        set transport-protocol {udp | tcp | tls}
        set ca-cert <string>
        set client-cert <string>
        set tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}        
        set server-identity-check {enable | disable}
    next
end

transport-protocol {udp | tcp | tls}

Set the type of transport protocol to use:

  • udp: use UDP (default)
  • tcp: use TCP, but no TLS security
  • tls: use TLS over TCP

ca-cert <string>

Set the CA certificate of server to trust under TLS.

client-cert <string>

Set the client certificate to use under TLS.

tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the minimum supported protocol version for TLS connections:

  • default: follow the system global setting
  • SSLv3: use SSLv3
  • TLSv1: use TLSv1
  • TLSv1-1: use TLSv1.1
  • TLSv1-2: use TLSv1.2

server-identity-check {enable | disable}

Enable/disable RADIUS server identity check, which verifies the server domain name/IP address against the server certificate (default = enable).

Caution

It is best practice to enable RADSEC over TLS whenever the FortiGate and RADIUS connection must pass through unencrypted transport. When using TCP and UDP transport modes, it is recommended to ensure the FortiGate and RADIUS connection passes through a trusted network or the connection passes through an encrypted tunnel over untrusted networks.

Examples

The following topology is used to demonstrate configurations using RADSEC over TLS and RADIUS over TCP.

Example 1: RADSEC over TLS

When using TLS, FortiOS uses port 2083 for RADIUS authentication and RADIUS accounting. There is no need to configure the RADIUS accounting separately.

Before configuring RADSEC over TLS, make sure that the CA certificate (which issues the remote RADIUS server certificate) is imported into the FortiGate trusted root store. If a customized local FortiGate client certificate is used, both the certificate and private key are imported into local FortiGate certificate store.

To configure RADSEC over TLS:
  1. Configure the RADIUS server:

    config user radius
        edit "radius-tls"
            set server "10.1.100.41"
            set secret ********
            set acct-interim-interval 600
            set radius-port 2083
            set auth-type pap
            set transport-protocol tls
            set ca-cert "CA_Cert_2"
            set client-cert "portal.fortinet-fsso"
            config accounting-server
                edit 1
                    set status enable
                    set server "10.1.100.41"
                    set secret ********
                next
            end
        next
    end
  2. Enable fnbamd debug messages on the FortiGate to verify the RADIUS authentication triggered by client traffic requesting access to external networks, which requires user authentication by the firewall policy. Note the highlighted initial RADSEC TLS authentication, successfully completed TLS handshake, and RADIUS accounting using TLS over port 2083:

    # diagnose debug application fnbamd -1
    Debug messages will be on for 30 minutes.
    
    # diagnose debug enable
    ...
    [629] __fnbamd_cfg_add_radius_by_user-
    [1726] fnbamd_match_and_update_auth_user-Found a matching user in CMDB 'test1'
    [462] fnbamd_rad_get-vfid=0, name='radius-tls'
    [635] __fnbamd_cfg_add_radius_by_user-Loaded RADIUS server 'radius-tls' for user 'test1' (16777236)
    [905] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
    ...                                      
    [806] __fnbamd_rad_get_next_addr-Next available address of rad 'radius-tls': 10.1.100.41:2083.
    [981] __auth_ctx_start-Connection starts radius-tls:10.1.100.41, addr 10.1.100.41:2083 proto: TCP over TLS
    [449] __rad_tcps_open-vfid 0, addr 10.1.100.41, src_ip (null), ssl_opt 1284
    ...
    [618] create_auth_session-Total 1 server(s) to try
    [1772] handle_req-r=4
    [418] __rad_tcps_connect-tcps_connect(10.1.100.41) is established.  
    [716] __rad_rxtx-fd 10, state 1(Auth)
    ...
    [565] fnbamd_rad_make_access_request-
    [329] __create_access_request-Compose RADIUS request
    [549] __create_access_request-Created RADIUS Access-Request. Len: 139.
    ...
    [963] __auth_ctx_svr_push-Added addr 10.1.100.41:2083 from rad 'radius-tls'
    [806] __fnbamd_rad_get_next_addr-Next available address of rad 'radius-tls': 10.1.100.41:2083.
    [981] __auth_ctx_start-Connection starts radius-tls:10.1.100.41, addr 10.1.100.41:2083 proto: TCP over TLS
    [449] __rad_tcps_open-vfid 0, addr 10.1.100.41, src_ip (null), ssl_opt 1284
    [481] __rad_tcps_open-Server identity check is enabled.
    [495] __rad_tcps_open-Still connecting 10.1.100.41.
    ...
    [1393] create_acct_session-Acct type 6 session created, 0x9827960
    [418] __rad_tcps_connect-tcps_connect(10.1.100.41) is established.
    [716] __rad_rxtx-fd 10, state 4(Acct)
    ...
    [956] fnbamd_rad_make_acct_request-
    [905] __create_acct_request-Compose RADIUS request
    [944] __create_acct_request-Created RADIUS Acct-Request. Len: 129.
    [572] __rad_tcps_send-Sent 129/129.
    [574] __rad_tcps_send-Sent all. Total 129.
    [749] __rad_rxtx-Sent radius req to server 'radius-tls': fd=10, IP=10.1.100.41(10.1.100.41:2083) code=4 id=33 len=123
    [758] __rad_rxtx-Start rad conn timer.
    ...

Example 2: RADIUS over TCP

When using TCP, the default RADIUS ports remain same as with UDP: 1812 for authentication and 1813 for accounting.

To configure RADIUS over TCP:
  1. Configure the RADIUS server:

    config user radius
        edit "radius-tcp"
            set server "10.1.100.41"
            set secret ********
            set acct-interim-interval 600
            set transport-protocol tcp
            config accounting-server
                edit 1
                    set status enable
                    set server "10.1.100.41"
                    set secret ********
                next
            end
        next
    end
  2. Enable fnbamd debug messages on the FortiGate to verify the RADIUS authentication triggered by client traffic requesting access to external networks, which requires user authentication by the firewall policy. Note the highlighted initial RADIUS authentication over TCP: 1812 and initial RADIUS accounting over TCP: 1813:

    # diagnose debug application fnbamd -1
    Debug messages will be on for 30 minutes.
    
    # diagnose debug enable
    ...
    
    [806] __fnbamd_rad_get_next_addr-Next available address of rad 'radius-tcp': 10.1.100.41:1812.
    [981] __auth_ctx_start-Connection starts radius-tcp:10.1.100.41, addr 10.1.100.41:1812 proto: TCP
    [449] __rad_tcps_open-vfid 0, addr 10.1.100.41, src_ip (null), ssl_opt 0
    ...
    [1772] handle_req-r=4
    [418] __rad_tcps_connect-tcps_connect(10.1.100.41) is established.
    [716] __rad_rxtx-fd 10, state 1(Auth)
    ...
    [565] fnbamd_rad_make_access_request-
    [329] __create_access_request-Compose RADIUS request
    [549] __create_access_request-Created RADIUS Access-Request. Len: 139.
    [572] __rad_tcps_send-Sent 139/139.
    [574] __rad_tcps_send-Sent all. Total 139.
    [749] __rad_rxtx-Sent radius req to server 'radius-tcp': fd=10, IP=10.1.100.41(10.1.100.41:1812) code=1 id=40 len=139
    [758] __rad_rxtx-Start rad conn timer.
    ...
    [806] __fnbamd_rad_get_next_addr-Next available address of rad 'radius-tcp': 10.1.100.41:1813.
    [981] __auth_ctx_start-Connection starts radius-tcp:10.1.100.41, addr 10.1.100.41:1813 proto: TCP
    [449] __rad_tcps_open-vfid 0, addr 10.1.100.41, src_ip (null), ssl_opt 0
    ...
    [1393] create_acct_session-Acct type 6 session created, 0x982b280
    [418] __rad_tcps_connect-tcps_connect(10.1.100.41) is established.
    [716] __rad_rxtx-fd 10, state 4(Acct)
    ...
    [574] __rad_tcps_send-Sent all. Total 129.
    [749] __rad_rxtx-Sent radius req to server 'radius-tcp': fd=10, IP=10.1.100.41(10.1.100.41:1813) code=4 id=41 len=123
    [758] __rad_rxtx-Start rad conn timer.
    ...