Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
AndreaSaldamarc
Beginner
Beginner

Integration between Authentication Manager 8.1 and Fortinet FW

Hi ,

I have an issue to integrate Fortinet and Authentication Manager works fine in our environment.

 

The problem arise when we want to discriminate the rights of users basing on the Active Directory Group they belong to.

The flow is described in the following:

  1. Fortinet sends an Access Request to the Authentication Manager, containing user's login data
  2. Authentication Manager verifies the correctness of userid, password and token.
  3. If it's all ok, Authentication Manager retrieves on the Active Directory the Group the user belongs to and sends to the Fortinet firewall the Access Accept containing the standard "memberOf" attribute, but the Fortinet firewall is expecting the group in an attribute called "Fortinet-Group-Name".

 

We need that Authentication Manager sends the group information inside an attribute called " Fortinet-Group-Name" without losing the automatic synchronization with AD (we tested that if we create a custom attribute called "Fortinet-Group-Name" inside the Authentication Manager, then we experienced the losing of automatic synchronization with Active Directory, and it is not acceptable in our environment).

 

The problem is that they have to use the default Fortinet attribute which has an attribute_number =1, and we can only create custom attributes with attribute_number greater than 64 by Authentication Manager GUI.

 

This mean it to edit the "Fortinet-Group-Name" attribute in the internal AM database in order to edit the attribune number with 1 value.

 

Thanks for collaboration

Andrea Saldamarco

Labels (1)
0 Likes
1 Reply
EdwardDavis
Employee
Employee

Hello,

 

You do not need to mess with the 'canned attribute'. You make a custom dictionary for Fortinet and can use static group names in a radius profile. Yes not synced with AD but this will work and it the most common way people integrate with Fortinet.

 

There is a reason we are suggesting manually creating the profile and adding the groups by hand on the RSA server and not relying on mapping the memberOf attribute, and one primary reason is you may get a lot of groups using memberOf, and there is not a way to edit or order the list returned by memberOf, and it may be problematic to get the Fortinet device working correctly. But, if you create Radius profiles and create the group names, it will work, and consistently work. It only means you need

a bit more administration on the RSA server instead of controlling the group solely with AD and memberOf attribute.

 

basic example:

[some RSA KB's on Fortinet and RSA Radius 000011715, 000030700)

 

Create a radius dictionary file based on the vendors name in the RSA RADIUS folder

 

 

 

  1. e.g. fortinet.dct

 

For this example we are going to add attributes to the new radius dictionary

 

 

 

  1. e.g.

 

@radius.dct

 

MACRO              FORTINET-VSA(type,syntax)   26   [vid=12356 type1=%type% len1=+2 data=%syntax%]

 

ATTRIBUTE          Fortinet-Group-Name                                   FORTINET-VSA(1,    string) r

 

ATTRIBUTE          Fortinet-Client-IP-Address                            FORTINET-VSA(2,    ipaddr) r

 

ATTRIBUTE          Fortinet-Vdom-Name                                    FORTINET-VSA(3,    string) r

 

 

 

NOTE: please refer to the readme.dct in the RADIUS folder for detailed information on the dictionary format

 

Update a file called vendor.ini and add a new section for the new vendor

 

 

 

  1. e.g.

 

vendor-product       = Fortinet

 

dictionary           = fortinet

 

ignore-ports         = no

 

port-number-usage    = per-port-type

 

help-id              = 2000

 

 

 

NOTE: it is recommended to add the new vendor in alphabetic order as this maintains order in the RADIUS graphical user interface on the pull-down list.

Update a file called dictiona.dcm and add the dictionary filename to the vendor specific list (in alphabetic order)

 

 

 

  1. e.g.

 

@fortinet.dct

 

 

Stop and start the RSA RADIUS service. (/opt/rsa/am/server/rsaserv restart radius)

also log off and log back into security console

 

When configuring the RADIUS clients there will be a new Make/model type called ‘Fortinet’ which will allow Fortinet vendor specific attributes to be selected for the Return List of Attributes.

 

 

o to Security Console > RADIUS > RADIUS Profiles > Add New to add a new profile. From the "Return List Attribute" tab select the attribute you have set in the fortinet.dct and setup appropriate value. Then press the Add button to add them. Here you can add the group name statically.

After that save the profile.

0 Likes