Freeradius proxy - Fortigate - Cisco ACS
Ole Bobakke
olebobakke at gmail.com
Thu Aug 25 19:33:37 CEST 2011
Hi.
We have this setup today.
Fortigate FW - running SSL vpn portal, users are authenticated towards a
Cisco ACS radius server.
We only use one vdom ( virtual firewall) but we have a plan to create a
portal to every co companies.
So I created two new vdom on the fortigate called, : ompa and tampa and gave
them ssl portal. - https://ompa.corp.com and https://tampa.corp.com
Both of them use the Cisco ACS to authenticate users, so at this point the
same username can login to both SSL portals, this is no good :-(
Then I tried to add a fortigate VSA to the Cisco ACS server, so when user
pet at ompa.corp.com login to https://tampa.corp.com , ACS server retun
"Fortinet-Vdom-Name = ompa" to the fortigate, and I was looking forward to
see the ompa portal but i got tampa. So Fortigate just ignore the VSA from
the ACS .
Fortigate radius impementation seems to be braindead :-(
I did some sniffing, and it seems that *fortigate* return
Fortinet-Vdom-Name= ompa when you use https://ompa.corp.com, and
Fortinet-Vdom-Name= tampa when you use https://tampa.corp.com.
So we need to have some checking on the radiusserver, to verify user realm
vs what fortigate retuns. Cisco ACS server doesn't support this type of
checking.
Now I have installed a freeradius and it does proxy towards the ACS from
Fortigate FW, but I need some help to configure this checking, could rlm do
this stuff?
if user pet at ompa.corp.com login to tampa, and Fortigate return
Fortinet-Vdom-Name= tampa it should *not* get access, but if it retun
Fortinet-Vdom-Name= ompa it should get access.
Ole
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110825/5343f7af/attachment.html>
More information about the Freeradius-Users
mailing list