Hi ,
I have an issue to integrate Fortinet and Authentication Manager works fine in our environment.
The problem arise when we want to discriminate the rights of users basing on the Active Directory Group they belong to.
The flow is described in the following:
- Fortinet sends an Access Request to the Authentication Manager, containing user's login data
- Authentication Manager verifies the correctness of userid, password and token.
- If it's all ok, Authentication Manager retrieves on the Active Directory the Group the user belongs to and sends to the Fortinet firewall the Access Accept containing the standard "memberOf" attribute, but the Fortinet firewall is expecting the group in an attribute called "Fortinet-Group-Name".
We need that Authentication Manager sends the group information inside an attribute called " Fortinet-Group-Name" without losing the automatic synchronization with AD (we tested that if we create a custom attribute called "Fortinet-Group-Name" inside the Authentication Manager, then we experienced the losing of automatic synchronization with Active Directory, and it is not acceptable in our environment).
The problem is that they have to use the default Fortinet attribute which has an attribute_number =1, and we can only create custom attributes with attribute_number greater than 64 by Authentication Manager GUI.
This mean it to edit the "Fortinet-Group-Name" attribute in the internal AM database in order to edit the attribune number with 1 value.
Thanks for collaboration
Andrea Saldamarco
Hello,
You do not need to mess with the 'canned attribute'. You make a custom dictionary for Fortinet and can use static group names in a radius profile. Yes not synced with AD but this will work and it the most common way people integrate with Fortinet.
There is a reason we are suggesting manually creating the profile and adding the groups by hand on the RSA server and not relying on mapping the memberOf attribute, and one primary reason is you may get a lot of groups using memberOf, and there is not a way to edit or order the list returned by memberOf, and it may be problematic to get the Fortinet device working correctly. But, if you create Radius profiles and create the group names, it will work, and consistently work. It only means you need
a bit more administration on the RSA server instead of controlling the group solely with AD and memberOf attribute.
basic example:
[some RSA KB's on Fortinet and RSA Radius 000011715, 000030700)
Create a radius dictionary file based on the vendors name in the RSA RADIUS folder
For this example we are going to add attributes to the new radius dictionary
@radius.dct
MACRO FORTINET-VSA(type,syntax) 26 [vid=12356 type1=%type% len1=+2 data=%syntax%]
ATTRIBUTE Fortinet-Group-Name FORTINET-VSA(1, string) r
ATTRIBUTE Fortinet-Client-IP-Address FORTINET-VSA(2, ipaddr) r
ATTRIBUTE Fortinet-Vdom-Name FORTINET-VSA(3, string) r
NOTE: please refer to the readme.dct in the RADIUS folder for detailed information on the dictionary format
Update a file called vendor.ini and add a new section for the new vendor
vendor-product = Fortinet
dictionary = fortinet
ignore-ports = no
port-number-usage = per-port-type
help-id = 2000
NOTE: it is recommended to add the new vendor in alphabetic order as this maintains order in the RADIUS graphical user interface on the pull-down list.
Update a file called dictiona.dcm and add the dictionary filename to the vendor specific list (in alphabetic order)
@fortinet.dct
Stop and start the RSA RADIUS service. (/opt/rsa/am/server/rsaserv restart radius)
also log off and log back into security console
When configuring the RADIUS clients there will be a new Make/model type called ‘Fortinet’ which will allow Fortinet vendor specific attributes to be selected for the Return List of Attributes.
o to Security Console > RADIUS > RADIUS Profiles > Add New to add a new profile. From the "Return List Attribute" tab select the attribute you have set in the fortinet.dct and setup appropriate value. Then press the Add button to add them. Here you can add the group name statically.
After that save the profile.