In this blog, I will point out some radius ( freeradius )
and fortigate observations for firewall administration. RADIUS offers
authentication & accounting for users and administration. FreeRadius has
been around for many years now. It’s an opensource package that compile very
well and can as backend for TACACS proxy. It also support
user account information in mysql database format if you so desire. In fact most of
the bigger ISPs uses mysql for holding user account details.
With in freeradius
you need to define the NAS client which is our firewall;
e.g ( freeradius clients.conf file )
client 10.10.80.1
{
secret
= key1234567890
shortname =
FGT
}
The format is very simple, you define a network or host and
the radius key. If you wanted to define a network use a format similar to below ;
client 10.10.80.0/24 {
secret =
key1234567890
shortname = LANipv4
}
client 2001:db8:199::0/64 {
secret =
key1234567890
shortname = LANipv6
}
as of 5.2.x ipv6 radius clients are not support for fortiOS
Now moving on, the radius user file contains our users details ( name, password attributes,etc....). I will demo a few types but the user password type can be any of the various methods;
Type one “crypt password”
"ken.felix"
Crypt-Password :=
"6h8yRBvqLKIo6"
Service-Type = NAS-Prompt-User,
Fortinet-Access-Profile = "noneprofile",
Cisco-AVPair = "shell:priv-lvl=15",
Reply-Message = "Hello, SOCRADIUS1
welcomes %{User-Name}"
Type two “md5
password”
ken" MD5-Password :=
"pZnTbEx6cd3MG8clmhWsOg=="
Service-Type = NAS-Prompt-User,
Fortinet-Access-Profile = "noneprofile",
Cisco-AVPair = "shell:priv-lvl=15",
Reply-Message = "Hello, SOCRADIUS1
welcomes %{User-Name}"
Type three a “cleartext
password”
radchk Cleartext-Password
:= "test0123456789"
Reply-Message = "Hello, SOCRAD01
welcomes %{User-Name}",
Fortinet-Access-Profile = "super_admin",
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=0"
These types should be self-describing but if in doubt please
refer to my earlier post here.
Okay now, on the NAS side ( fortigate ) our radius
configuration is very simple. You can define within the latest FortiOS version
upto 3x radius-severs. Each can have a different radius-key BUT you can’t use
different radius-auth-ports or authentication types { PAP|CHAP|msCHAP| )
So all defined radius-servers entries MUST HAVE THE SAME DETAILS for auth-ports.
e.g ( configurations from a production fortigate radius-server config user radius )
config user radius
edit "LASANCA11RAMPARTSAA"
set server
"172.16.179.100"
set secret
J3k484kdRad02sefgsec
set timeout
12
set
all-usergroup disable
set
use-management-vdom disable
set nas-ip
0.0.0.0
set
acct-interim-interval 600
set
radius-port 1812
set
h3c-compatibility disable
set
auth-type auto
set
source-ip 0.0.0.0
set rsso disable
set
secondary-server "172.16.178.101"
set
secondary-secret myRad1@393J3kdlSec
next
end
Now on the fortigate
admin side you have to be aware of two
issues. Fortinet allows for a specific user(s) or wildcards users * admin accounts. What
this means;
A specific user is a account that placed on the fortigate and with remote-auth where as a
wildcard is a generic “anybody”. The latter is use where you need to
ensure multiple admins and have no time
or desire for crafting dozens or hundreds of users accounts. This is typically
what you see in a big outfit like a large business, ISP, NOC, SOC, or a MSSP.
NOTE: A local define account will ALWAYS be authenticated
locally. So if you have wildcards and a
local user ( with no remote-auth enable ) &
with the same network in your radius-server, the radius-server will
never be offered the authentication request.
Speaking of requests, RADIUS Authentication is a 2 format
protocol. Typically you have a request and then a response if the client is an allowed NAS client and it has a matching radius-key.
( interesting tidbit of facts )
Radius has been around
for many years. Most RADIUS solutions today are built around the earlier LIVINGSTON radius. Livingston offer a dialup
modem bank back in the day when we had dialup-ppp accounts and had a great and well
defined AAA solution. I believe IIRC
that engineers/designers of Livingston was the main drafter of the current RADIUS protocol.
Now the user account it trivial to setup.
Here’s a local user;
config sys admin
edit "radchck"
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set remote-group "radius"
set accprofile-override enable
end
Here’s a wildcard;
config sys admin
edit "WILDCARD"
set remote-auth enable
set accprofile "prof_admin"
set vdom "root"
set wildcard enable
set remote-group "radius"
next
Okay before we
get to the above, we need to specify a
group and named the “RADIUS SERVER” in that group as a member. I kept my group name
simple by naming it radius.
SOC60D
(root) # show user group radius
config
user group
edit "radius"
set member "TEST"
next
end
look at is as the group is a
local account that’s matched to a authentication method, This allows you to mix
and match let’s LDAP TACACS and RADIUS
Okay now
let’s dive in and look at some radius details from these screenshots;
PAP vrs CHAP, notice how the password is encrypted in the CHAP challenge. by temporary enabling PAP allows for you to debug wrong passwords on the freeradius server.
Here's a single radius-server configuration on a FGT60D ;
Here's a show output for a wildcard user and the details for the last logins;
Using radtest for testing radius user access and validation for chap with the user password.
Using radtest for testing radius user access and validation for pap with the user password.
Dashboard authentication status for our wildcard user.
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment