Thanks for sharing this.
Note that SHOULD in an RFC is a strong recommendation, but it also states that there may be valid reasons to ignore/deviate:
Original Message:
Sent: Dec 06, 2023 07:39 AM
From: BrettV
Subject: NAS-Port-Type value for FortiGate RADIUS Administration
If anyone cares - the RADIUS RFC states that either the NAS-Port or NAS-Port-Type attributes, or both, should be present. I was surprised that the NAS-Port attribute was missing from the Fortinet packet captures.
5.41. NAS-Port-Type
Description
This Attribute indicates the type of the physical port of the NAS
which is authenticating the user. It can be used instead of or in
addition to the NAS-Port (5) attribute. It is only used in
Access-Request packets. Either NAS-Port (5) or NAS-Port-Type or
both SHOULD be present in an Access-Request packet, if the NAS
differentiates among its ports.
Type
61 for NAS-Port-Type.
Length
6
Value
The Value field is four octets. "Virtual" refers to a connection
to the NAS via some transport protocol, instead of through a
physical port. For example, if a user telnetted into a NAS to
authenticate himself as an Outbound-User, the Access-Request might
include NAS-Port-Type = Virtual as a hint to the RADIUS server
that the user was not on a physical port.
------------------------------
Regards,
Brett V
Original Message:
Sent: Dec 06, 2023 07:30 AM
From: BrettV
Subject: NAS-Port-Type value for FortiGate RADIUS Administration
Thanks Mathieu,
The firewall was finally configured for RADIUS, and it indeed sends NAS-PORT-TYPE = 5 in the access-request message.
------------------------------
Regards,
Brett V
Original Message:
Sent: Oct 12, 2023 04:07 AM
From: mdavid
Subject: NAS-Port-Type value for FortiGate RADIUS Administration
Hi,
Fortigate is sending Radius:IETF:NAS-Port-Type = 5 for administrative access.
Regards,
Mathieu
Original Message:
Sent: Sep 21, 2023 09:21 PM
From: BrettV
Subject: NAS-Port-Type value for FortiGate RADIUS Administration
Hi Airheads,
I have a customer who wants to use RADIUS with their FortiGate Firewalls for user administration through ClearPass. I need to tighten the ClearPass service match conditions. This will help us distinguish between VPN and Wireless sessions if needed later on. However, I'm unsure about the NAS-Port-Type values that Forti devices send in their RADIUS admin packets.
I think they use NAS-Port 6 (Administrative User), but I'm not certain. In ClearPass, this would be expressed as: RADIUS:IETF Service-Type EQUALS Administrative-User(6).
Forti's documentation mentions only 802.11 and VPN attributes; it doesn't cover RADIUS Admin.
Has anyone done FortiGate RADIUS Admin and knows what values it sends?
Has anyone worked with FortiGate RADIUS Admin and knows the values it sends?
I can't access the firewall right now, so I can't review the session logs on ClearPass. If I could, that would provide the answer.
------------------------------
Regards,
Brett V
------------------------------