Freeradius proxy - Fortigate - Cisco ACS
Hi. We have this setup today. Fortigate FW - running SSL vpn portal, users are authenticated towards a Cisco ACS radius server. We only use one vdom ( virtual firewall) but we have a plan to create a portal to every co companies. So I created two new vdom on the fortigate called, : ompa and tampa and gave them ssl portal. - https://ompa.corp.com and https://tampa.corp.com Both of them use the Cisco ACS to authenticate users, so at this point the same username can login to both SSL portals, this is no good :-( Then I tried to add a fortigate VSA to the Cisco ACS server, so when user pet@ompa.corp.com login to https://tampa.corp.com , ACS server retun "Fortinet-Vdom-Name = ompa" to the fortigate, and I was looking forward to see the ompa portal but i got tampa. So Fortigate just ignore the VSA from the ACS . Fortigate radius impementation seems to be braindead :-( I did some sniffing, and it seems that *fortigate* return Fortinet-Vdom-Name= ompa when you use https://ompa.corp.com, and Fortinet-Vdom-Name= tampa when you use https://tampa.corp.com. So we need to have some checking on the radiusserver, to verify user realm vs what fortigate retuns. Cisco ACS server doesn't support this type of checking. Now I have installed a freeradius and it does proxy towards the ACS from Fortigate FW, but I need some help to configure this checking, could rlm do this stuff? if user pet@ompa.corp.com login to tampa, and Fortigate return Fortinet-Vdom-Name= tampa it should *not* get access, but if it retun Fortinet-Vdom-Name= ompa it should get access. Ole
Ole Bobakke wrote:
Both of them use the Cisco ACS to authenticate users, so at this point the same username can login to both SSL portals, this is no good :-(
Yup.
Then I tried to add a fortigate VSA to the Cisco ACS server, so when user pet@ompa.corp.com <mailto:pet@ompa.corp.com> login to https://tampa.corp.com , ACS server retun "Fortinet-Vdom-Name = ompa" to the fortigate, and I was looking forward to see the ompa portal but i got tampa. So Fortigate just ignore the VSA from the ACS .
Yes. The NAS usually ignores attributes it doesn't understand.
I did some sniffing, and it seems that *fortigate* return Fortinet-Vdom-Name= ompa when you use https://ompa.corp.com, and Fortinet-Vdom-Name= tampa when you use https://tampa.corp.com.
So we need to have some checking on the radiusserver, to verify user realm vs what fortigate retuns. Cisco ACS server doesn't support this type of checking.
All the more reason to use a real RADIUS server. :)
Now I have installed a freeradius and it does proxy towards the ACS from Fortigate FW, but I need some help to configure this checking, could rlm do this stuff?
if user pet@ompa.corp.com <mailto:pet@ompa.corp.com> login to tampa, and Fortigate return Fortinet-Vdom-Name= tampa it should *not* get access, but if it retun Fortinet-Vdom-Name= ompa it should get access.
Simple. Put this in the "authorize" section, after "suffix" if (Fortinet-Vdom-Name && (User-Name !~ /@%{Fortinet-Vdom-Name/)) { reject } Make sure the "if ... {" is all on one line. That should be simple to understand. If the Fortinet-Vdom-Name attribute exists, AND the User-Name entered by the user doesn't have "@", followed by the Fortinet-Vdom-Name, then reject the user. Alan DeKok.
Cool :-) Where you I put this script ? "authorize" section, after "suffix" ? if (Fortinet-Vdom-Name && (User-Name !~ /@%{Fortinet-Vdom-Name/)) { reject } I got perl to run with freeradius, and enabled this modules, do I need to put this in perl script? func_pre_proxy = pre_proxy func_post_proxy = post_proxy
Ole
Ole Bobakke wrote:
Cool :-)
Where you I put this script ?
It's not a script. It's the internal policy language. See "man unlang"
"authorize" section, after "suffix" ?
That's what I said...
if (Fortinet-Vdom-Name && (User-Name !~ /@%{Fortinet-Vdom-Name/)) {
It's ... /@%{Fortinet-Vdom-Name}/ The %{..} is a variable explansion.
reject }
I got perl to run with freeradius, and enabled this modules, do I need to put this in perl script?
No. I didn't say to do that. Alan DeKok.
participants (2)
-
Alan DeKok -
Ole Bobakke