Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

NAS-Port-Type value for FortiGate RADIUS Administration

This thread has been viewed 36 times
  • 1.  NAS-Port-Type value for FortiGate RADIUS Administration

    Posted Sep 21, 2023 09:21 PM

    Hi Airheads,

    I have a customer who wants to use RADIUS with their FortiGate Firewalls for user administration through ClearPass. I need to tighten the ClearPass service match conditions. This will help us distinguish between VPN and Wireless sessions if needed later on. However, I'm unsure about the NAS-Port-Type values that Forti devices send in their RADIUS admin packets.

    I think they use NAS-Port 6 (Administrative User), but I'm not certain. In ClearPass, this would be expressed as: RADIUS:IETF Service-Type EQUALS Administrative-User(6).

    Forti's documentation mentions only 802.11 and VPN attributes; it doesn't cover RADIUS Admin.

    Has anyone done FortiGate RADIUS Admin and knows what values it sends?

    Has anyone worked with FortiGate RADIUS Admin and knows the values it sends?

    I can't access the firewall right now, so I can't review the session logs on ClearPass. If I could, that would provide the answer.



    ------------------------------
    Regards,

    Brett V
    ------------------------------


  • 2.  RE: NAS-Port-Type value for FortiGate RADIUS Administration

    Posted Sep 22, 2023 08:28 AM

    Why not use TACACS Device Admin?  FortiGate supports TACACS




  • 3.  RE: NAS-Port-Type value for FortiGate RADIUS Administration

    Posted Sep 22, 2023 05:43 PM

    The choice to use RADIUS instead of TACACS was a design decision beyond my control.

    Otherwise I only use RADIUS to manage devices where TACACS isn't available.



    ------------------------------
    Regards,

    Brett V
    ------------------------------



  • 4.  RE: NAS-Port-Type value for FortiGate RADIUS Administration

    Posted Sep 22, 2023 06:37 PM
    Got it, I’ve set it up before but I can’t remember the NAS type FortiGate sends. I know it was different than actual wired and wireless clients though. Can you pcap the RADIUS flow?




  • 5.  RE: NAS-Port-Type value for FortiGate RADIUS Administration

    Posted Sep 24, 2023 07:45 PM

    I think a pcap is the only way. I am downloading a trial VM to test as I write this. I will report back. Thanks!



    ------------------------------
    Regards,

    Brett V
    ------------------------------



  • 6.  RE: NAS-Port-Type value for FortiGate RADIUS Administration
    Best Answer

    Posted Oct 12, 2023 04:07 AM

    Hi,
    Fortigate is sending Radius:IETF:NAS-Port-Type = 5 for administrative access.

    Regards,

    Mathieu




  • 7.  RE: NAS-Port-Type value for FortiGate RADIUS Administration

    Posted Dec 06, 2023 07:31 AM

    Thanks Mathieu,

    The firewall was finally configured for RADIUS, and it indeed sends NAS-PORT-TYPE = 5 in the access-request message.



    ------------------------------
    Regards,

    Brett V
    ------------------------------



  • 8.  RE: NAS-Port-Type value for FortiGate RADIUS Administration

    Posted Dec 06, 2023 07:40 AM

    If anyone cares - the RADIUS RFC states that either the NAS-Port or NAS-Port-Type attributes, or both, should be present. I was surprised that the NAS-Port attribute was missing from the Fortinet packet captures.

    5.41.  NAS-Port-Type

       Description

          This Attribute indicates the type of the physical port of the NAS
          which is authenticating the user.  It can be used instead of or in
          addition to the NAS-Port (5) attribute.  It is only used in
          Access-Request packets.  Either NAS-Port (5) or NAS-Port-Type or
          both SHOULD be present in an Access-Request packet, if the NAS
          differentiates among its ports.

        Type

          61 for NAS-Port-Type.

       Length

          6

       Value

          The Value field is four octets.  "Virtual" refers to a connection
          to the NAS via some transport protocol, instead of through a
          physical port.  For example, if a user telnetted into a NAS to
          authenticate himself as an Outbound-User, the Access-Request might
          include NAS-Port-Type = Virtual as a hint to the RADIUS server
          that the user was not on a physical port.


    ------------------------------
    Regards,

    Brett V
    ------------------------------



  • 9.  RE: NAS-Port-Type value for FortiGate RADIUS Administration

    EMPLOYEE
    Posted Dec 07, 2023 07:33 AM

    Thanks for sharing this.

    Note that SHOULD in an RFC is a strong recommendation, but it also states that there may be valid reasons to ignore/deviate:

    SHOULD   This word, or the adjective "RECOMMENDED", mean that there
       may exist valid reasons in particular circumstances to ignore a
       particular item, but the full implications must be understood and
       carefully weighed before choosing a different course.
    



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------