A co-worker of mine a bit ago setup a Radius server for all of our small branch offices. The idea was a central Radius server for internal wireless authentication at all branches, each with a smaller Fortigate firewall appliance. Each Fortinet appliance would act as the Radius client, initiating a connection to the central Radius server in a COLO.

Each site leveraged the public internet to create IPSEC tunnels back to a VPN concentrator in the COLO facility. There were no leased private lines, all internal connectivity to the rest of the corporate network was through dual site to site VPN tunnels.

After confirming the Radius server worked locally in the COLO, we took one of the branch firewalls and setup the Radius client. For a simple Radius client setup in a Fortinet appliance there’s not much to it. Add the IP of the Radius server (or IPs for primary and secondary servers) and then enter the Radius key for authentication. Once the Radius client configuration is entered, you then just need to make sure a policy is allowing the branch internal network to reach the Radius server on TCP and UDP ports 1812 and 1813. This is assuming the IPSEC tunnel and proper routing is available to reach the subnet the Radius server resides on.

We configured the client and tried testing the connectivity, but for some reason we found the Fortinet appliance (Radius client) could not connect to the Radius server on the proper ports. We could confirm from the internal side of the firewall, a PC for instance, could reach the Radius server properly, but just not the firewall. After running a packet capture on all interfaces with a host address of the Radius server IP, we discovered that the firewall was in fact attempting to reach the server, but only out its management interface, not the internal interface/subnet we wanted it to. After looking into the CLI we found an option within the Radius server configuration to specify a source IP address/interface.

Commands from Above
config user radius
edit <Radius Client Name>
show full

What we discovered was that in Forti-OS world when specifying a target on the appliance that is not part of a directly connected subnet, the operator often times needs to specify an interface to use for reaching the destination. This appears to be true for some other functions on Fortinet firewalls as well, such as LDAP. If an LDAP server is specified on the firewall but is not within a directly connected network, chances are the operator will need to specify what interface to use for reaching that LDAP server. In our example with the appliance reaching the Radius server, we needed to specify the IP address assigned to the internal interface that is associated with a subnet already capable of reaching the Radius server subnet. After entering the source-ip we immediately were able to connect the Radius client to the Radius server over our IPSEC tunnel.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s