Wednesday, October 7, 2015

fortigate radius observations

In this blog, I will point out some radius ( freeradius ) and fortigate observations for firewall administration. RADIUS offers authentication & accounting for users and administration. FreeRadius has been around for many years now. It’s an opensource package that compile very well and can  as  backend for TACACS proxy. It also support user account information in mysql database format if you so desire. In fact most of the bigger ISPs uses mysql for holding user account details.

With in freeradius  you need to define the NAS client which is our firewall;

e.g ( freeradius clients.conf file )

client  {
       secret =  key1234567890
       shortname = FGT

The format is very simple, you define a network or host and the radius key. If you wanted to define a network use a format similar to below ;

client  {
       secret =  key1234567890
       shortname = LANipv4
client 2001:db8:199::0/64  {
       secret =  key1234567890
       shortname = LANipv6

as of 5.2.x  ipv6  radius clients are not support for fortiOS

Now moving on,  the radius user file contains our users details ( name, password attributes,etc....). I will demo  a few types but  the user password type can be any of the various methods;

Type one “crypt password”

"ken.felix"   Crypt-Password := "6h8yRBvqLKIo6"
        Service-Type = NAS-Prompt-User,
        Fortinet-Access-Profile = "noneprofile",
        Cisco-AVPair = "shell:priv-lvl=15",
        Reply-Message = "Hello, SOCRADIUS1  welcomes %{User-Name}"

Type two  “md5 password”

ken"  MD5-Password := "pZnTbEx6cd3MG8clmhWsOg=="
        Service-Type = NAS-Prompt-User,
        Fortinet-Access-Profile = "noneprofile",
        Cisco-AVPair = "shell:priv-lvl=15",
        Reply-Message = "Hello, SOCRADIUS1  welcomes %{User-Name}"

Type three a “cleartext password”

radchk Cleartext-Password := "test0123456789"
        Reply-Message = "Hello, SOCRAD01  welcomes %{User-Name}",
        Fortinet-Access-Profile = "super_admin",
        Service-Type = NAS-Prompt-User,
        Cisco-AVPair = "shell:priv-lvl=0"

These types should be self-describing but if in doubt please refer to my earlier post here.

Okay now, on the NAS side ( fortigate ) our radius configuration is very simple. You can define within the latest FortiOS version upto 3x radius-severs. Each can have a different radius-key BUT you can’t use different radius-auth-ports or authentication types { PAP|CHAP|msCHAP| )

So all defined radius-servers entries  MUST HAVE THE SAME DETAILS for auth-ports.

e.g ( configurations from a production fortigate radius-server config user radius )

config user radius
        set server ""
        set secret J3k484kdRad02sefgsec
        set timeout 12
        set all-usergroup disable
        set use-management-vdom disable
        set nas-ip
        set acct-interim-interval 600
        set radius-port 1812
        set h3c-compatibility disable
        set auth-type auto
        set source-ip
        set rsso disable
        set secondary-server ""
        set secondary-secret  myRad1@393J3kdlSec

Now on the  fortigate admin side you have to  be aware of two issues. Fortinet allows for a specific user(s) or wildcards users * admin accounts. What this means;

A specific user is a account that placed on the  fortigate and with remote-auth where as a wildcard is a generic “anybody”. The latter is use where you need to ensure  multiple admins and have no time or desire for crafting dozens or hundreds of users accounts. This is typically what you see in a big outfit like a large business, ISP, NOC, SOC, or a MSSP.

NOTE: A local define account will ALWAYS be authenticated locally. So if you have wildcards  and a local user ( with no remote-auth enable ) &  with the same network in your radius-server, the radius-server will never be offered the authentication request.

Speaking of requests, RADIUS Authentication is a 2 format protocol. Typically you  have a request and then a response if the client is an allowed NAS client and it has a matching  radius-key.

( interesting tidbit of facts )

Radius has been around for many years. Most RADIUS solutions today are built around the earlier  LIVINGSTON radius. Livingston offer a dialup modem bank back in the day when we had dialup-ppp accounts and had a great and well defined AAA solution.   I believe IIRC that engineers/designers of Livingston was the main drafter  of the current RADIUS protocol.

Now the user account it trivial to setup.

Here’s a local user;

config sys admin
   edit "radchck"
        set remote-auth enable
        set accprofile "super_admin"
        set vdom "root"
        set remote-group "radius"
        set accprofile-override enable

Here’s a wildcard;

config sys admin
     edit "WILDCARD"
        set remote-auth enable
        set accprofile "prof_admin"
        set vdom "root" 
        set wildcard enable
        set remote-group "radius"

Okay before we get to the above,  we need to specify a group and named the “RADIUS SERVER” in that group as a member. I kept my group name simple by naming it radius.

SOC60D (root) # show user group radius
config user group
    edit "radius"
        set member "TEST"

 look at is as the group is a local account that’s matched to a authentication method, This allows you to mix and match let’s LDAP  TACACS and RADIUS

Okay now let’s dive in and look at some radius details from these screenshots;

PAP vrs CHAP, notice how the password is encrypted in the CHAP challenge.  by temporary  enabling PAP allows for you to debug wrong passwords on the  freeradius server.

Here's a single radius-server configuration on a FGT60D ;

 Here's a show output for a wildcard user and the details for the last logins;

note: a system can only have one wildcard user.

Using radtest for testing  radius user access and validation for chap with the user password.

Using radtest for testing  radius user access and validation for pap with the user password.

Dashboard  authentication status for our wildcard user.

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment