All Topics » Pulse Policy Secure



MAG2600 UAC with Fortigate FW


jbrunk
Contributor (11)
Jun 5, 2015 8:02pm

Hello everyone,

My radius device is a MAG2600(UAC) My Firewall Is a Fortigate 100D, I am having a hard time getting radius setup for admin login into the FW itself.

I know my issue is more so on the MAG2600 and the VSA dct file i have to manually configure.

This is what Fortinet provides which doesn't work at all.

VENDOR Fortinet 12356
BEGIN-VENDOR Fortinet
ATTRIBUTE Fortinet-Group-Name 1 string
ATTRIBUTE Fortinet-Client-IP-Address 2 ipaddr
ATTRIBUTE Fortinet-Vdom-Name 3 string
ATTRIBUTE Fortinet-Client-IPv6-Address 4 octets
ATTRIBUTE Fortinet-Interface-Name 5 string
ATTRIBUTE Fortinet-Access-Profile 6 string
#
# Integer Translations
#
END-VENDOR Fortinet

THis is what i created and it seems to be half working. as i am now able to see these options under the Radius attributes section.

@radius.dct

#
# Fortinet specific parameters
#

MACRO Fortinet-VSA(t,s) 26 [vid=12356 type1=%t% len1=+2 data=%s%]

ATTRIBUTE Fortinet-Group-Name Fortinet-VSA(1, string) r (This is the one i have setup on the Fortigate)
ATTRIBUTE Fortinet-Client-IP-Address Fortinet-VSA(2, ipaddr) r
ATTRIBUTE Fortinet-Vdom-Name Fortinet-VSA(3, string) r
ATTRIBUTE Fortinet-Client-IPv6-Address Fortinet-VSA(4, octets) r
ATTRIBUTE Fortinet-Interface-Name Fortinet-VSA(5, string) r
ATTRIBUTE Fortinet-Access-Profile Fortinet-VSA(6, string) r

I guess my biggest Questions has anyone been able to get this to work? if so do they have a config for the MAG and Fortigate they can share with me?

Thanks.




cbrauckmiller
Contributor (1)
Aug 2, 2015 9:07am
Thanks for you question.

The issue here is that the file that your FW vendor provided is in the FreeRADIUS dictionary format.

PPS and Steel-Belted Radius do not use this format, rather, they use the Livingston dictionary format.

One thing you can do is download one of the included dictionaries from the MAG device and the use that as a template for your Fortigate dictionary.

If you have difficulties doing this, you can always contact our support team and they can help you convert the dictionary.

Good luck,

Craig