How to configure RADSEC between FortiAuthenticator and FortiGate

This article describes how to configure RADSCEC between FortiAuthenticator and FortiGate. The same steps should be followed in case another non-Fortinet Radius client is used

A RADSEC Webserver certificate should be created on FortiAuthenticator or can be imported if it is a public certificate signed by another Authority.
A Root CA certificate that has issued a RADSEC certificate should be created on FortiAuthenticator (if we use FortiAuthenticator as CA) or should be imported on the Trusted-ROOT store of FortiAuthenticator if a public is used.
RADSEC Webserver certificate should be used on RADSEC Service settings of FortiAuthenticator and RADSEC service should be enabled on the interface.
Root CA certificate (Issuer of RADSEC Webserver certificate) should be imported on Fortigate (RADSEC-Client) as well as Remote CA Certificate
Configuration of RADSEC Client.

Table of Contents

Scope
Solution
Configurations to be done on FortiAuthenticator.
Configurations to be done on FortiGate.

Scope

FortiAuthenticator, FortiGate, RADSEC.

Solution

Configurations to be done on FortiAuthenticator.

Create a Root CA certificate, which will be the issuer of the RADSEC Webserver certificate:

Create a Root CA certificate, which will be the issuer of the RADSEC Webserver certificate.

Create a RADSEC WebServer Certificate and make sure to be issued from CA certificate created above.

Note: It is important that the common-name used on the Web-Server Certificate ‘radsecweb.com’ is resolvable on FortiAuthenticator IP/RADIUS Server IP.

Configure RADIUS Client on FortiAuthenticator. Insert a name for the client, respective IP, and a secret code:

Assign RADSEC Web Server Certificate to Radius Service

Enable RADSEC Service on the Interface of FortiAuthenticator.

Configurations to be done on FortiGate.

Import RADSEC ROOT_CA certificate under the trusted Root-Store of FortiGate. This is important for FortiGate as RADSEC client to be able to trust the RADSEC WebServer Certificate.

Configure RADIUS-Client

config user radius
edit <name>
set server {Use the CN of Certificate}
set secret {Secret used in communication between Server and Client}
set transport-protocol {udp | tcp | tls}
set ca-cert <string>
set tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2} 
set server-identity-check {enable | disable}

Note:

As Server entry should be used the CN that was used on RADSEC Web Server Certificate.
FortiGate should be able to resolve the server name, with the IP of the RADIUS Server.

Check RADSEC status from GUI:

To check in more detail, fnbamd debug needs to be enabled to verify the RADIUS authentication triggered by client traffic requesting access to external networks, which requires user authentication by the firewall policy:

FGT_CLI# diagnose debug application fnbamd -1
FGT_CLI# diagnose debug enable

Debug output:

# [1738] handle_req-Rcvd auth req 57359430307841 for test01 in opt=0500000d prot=0 svc=7
[332] __compose_group_list_from_req-Group '', type 1
[507] create_auth_session-Session created for req id 57359430307841
[316] radius_start-eap_local=0
[896] fnbamd_cfg_get_radius_list-
[347] fnbamd_rad_new-fac.fortil.lab
[140] __init_rad_setting-Preping auth servers.
[123] __rad_server_push-Inserted rad server 'fac.fortil.lab'.
[357] fnbamd_rad_new-fac.fortil.lab created
[918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
[936] fnbamd_rad_get_auth_server-
[1738] fnbamd_create_ssl_ctx-SSL CTX is created.
[282] __rad_create_ssl_ctx-SSL CTX is created for rad server fac.fortil.lab.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
[115] fnbamd_dns_resolv_ex-DNS req ipv4 0x39 'fac.fortil.lab'
[125] fnbamd_dns_resolv_ex-DNS req ipv6 0x2039 'fac.fortil.lab'
[137] fnbamd_dns_resolv_ex-DNS maintainer started.
[1113] fnbamd_rad_auth_ctx_init-Start rad conn timer.
[744] __rad_add_job_timer-
[439] fnbamd_cfg_get_pop3_list-
[417] __fnbamd_cfg_get_pop3_list_by_group-
[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
[433] start_remote_auth-Total 1 server(s) to try
[1881] handle_req-r=4
[247] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x39
[309] fnbamd_dns_parse_resp-req 0x39: 10.20.20.1
[1066] __fnbamd_rad_dns_cb-Resolved fac.fortil.lab:fac.fortil.lab to 10.20.20.1, cur stack size:-1
[1025] __auth_ctx_svr_push-Added addr 10.20.20.1:2083 from rad 'fac.fortil.lab'
[853] __fnbamd_rad_get_next_addr-Next available address of rad 'fac.fortil.lab': 10.20.20.1:2083.
[1043] __auth_ctx_start-Connection starts fac.fortil.lab:fac.fortil.lab, addr 10.20.20.1:2083 proto: TCP over TLS
[471] __rad_tcps_open-vfid 0, addr 10.20.20.1, src_ip , ssl_opt 1284
[1159] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 10.20.20.1:2083, source address is null, protocol number is 6, oif id is 0
[491] __rad_tcps_open-oif=0, intf_sel.mode=0, intf_sel.name=
[504] __rad_tcps_open-Server identity check is enabled.
[520] __rad_tcps_open-Still connecting 10.20.20.1.
[536] __rad_tcps_open-Start rad conn timer.
[868] __rad_conn_start-Socket 9 is created for rad 'fac.fortil.lab'.
[247] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x2039
[35] __fnbamd_dns_req_del-DNS req 0x39 (0xec567b8) is removed. Current total: 2
[47] __fnbamd_dns_req_del-DNS maintainer stopped.
[269] fnbamd_dns_parse_resp-req 0x0: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
[1066] __fnbamd_rad_dns_cb-Resolved fac.fortil.lab:fac.fortil.lab to ::, cur stack size:0
[1031] __auth_ctx_svr_push-Failed to add addr fac.fortil.lab from rad 'fac.fortil.lab'
[1669] __verify_cb-Cert preverify ok. Depth 1. Subject '/O=RADSECCA/OU=RADSECCA/CN=RADSECCA'
[1669] __verify_cb-Cert preverify ok. Depth 0. Subject '/O=Fortinet/OU=Fortinet/CN=fac.fortil.lab'
[439] __rad_tcps_connect-tcps_connect(10.20.20.1) is established.
[765] __rad_rxtx-fd 9, state 1(Auth)
[767] __rad_rxtx-Stop rad conn timer.
[774] __rad_rxtx-
[606] fnbamd_rad_make_access_request-
[328] __create_access_request-Compose RADIUS request
[589] __create_access_request-Created RADIUS Access-Request. Len: 104.
[597] __rad_tcps_send-Sent 104/104.
[599] __rad_tcps_send-Sent all. Total 104.
[796] __rad_rxtx-Sent radius req to server 'fac.fortil.lab': fd=9, IP=fac.fortil.lab(10.20.20.1:2083) code=1 id=79 len=104
[805] __rad_rxtx-Start rad conn timer.
[765] __rad_rxtx-fd 9, state 1(Auth)
[767] __rad_rxtx-Stop rad conn timer.
[808] __rad_rxtx-
[635] __rad_tcps_recv-Rcvd 20.
[641] __rad_tcps_recv-Expected 20 bytes.
[651] __rad_tcps_recv-Received all. Total 20.
[1210] fnbamd_rad_validate_pkt-RADIUS resp code 3
[951] __rad_error-Ret 1, st = 1.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot ??
[1000] __rad_error-
[546] __rad_tcps_close-closed.
[887] __rad_conn_stop-Stop rad conn timer.
[1262] fnbamd_rad_process-Result from radius svr 'fac.fortil.lab' is 1, req 57359430307841
[1451] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, State_Len: 0
[239] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 57359430307841, len=6708
[599] destroy_auth_session-delete session 57359430307841
[1260] fnbamd_rads_destroy-
[516] fnbamd_rad_auth_ctx_free-Freeing 'fac.fortil.lab' ctx
[1132] fnbamd_rad_auth_ctx_uninit-
[892] __rad_stop-
[887] __rad_conn_stop-Stop rad conn timer.
[721] __rad_del_job_timer-
[364] fnbamd_rad_free-Freeing fac.fortil.lab, ref:1
[41] __rad_server_free-Freeing fac.fortil.lab, ref:2
[369] fnbamd_rad_free-Freed
[41] __rad_server_free-Freeing fac.fortil.lab, ref:1
[519] fnbamd_rad_auth_ctx_free-
[1263] fnbamd_rads_destroy-
[1830] fnbamd_ldaps_destroy-
[1019] fnbamd_tacs_destroy-
[889] fnbamd_pop3s_destroy-
[1068] fnbamd_ext_idps_destroy-