I have a customer who wants to use RADIUS with their FortiGate Firewalls for user administration through ClearPass. I need to tighten the ClearPass service match conditions. This will help us distinguish between VPN and Wireless sessions if needed later on. However, I'm unsure about the NAS-Port-Type values that Forti devices send in their RADIUS admin packets.
I think they use NAS-Port 6 (Administrative User), but I'm not certain. In ClearPass, this would be expressed as: RADIUS:IETF Service-Type EQUALS Administrative-User(6).
Forti's documentation mentions only 802.11 and VPN attributes; it doesn't cover RADIUS Admin.
Has anyone done FortiGate RADIUS Admin and knows what values it sends?
Has anyone worked with FortiGate RADIUS Admin and knows the values it sends?
I can't access the firewall right now, so I can't review the session logs on ClearPass. If I could, that would provide the answer.
Why not use TACACS Device Admin? FortiGate supports TACACS
The choice to use RADIUS instead of TACACS was a design decision beyond my control.
Otherwise I only use RADIUS to manage devices where TACACS isn't available.
I think a pcap is the only way. I am downloading a trial VM to test as I write this. I will report back. Thanks!
Hi,Fortigate is sending Radius:IETF:NAS-Port-Type = 5 for administrative access.Regards,
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.