Fortinet black logo

Administration Guide

RADIUS service

RADIUS service

Before FortiAuthenticator can accept RADIUS authentication requests from a FortiGate unit, the FortiGate unit must be registered as a authentication client on FortiAuthenticator.

The FortiAuthenticator RADIUS AAA (authentication, authorization, and accounting) server is already configured and running with default values. Each user account on FortiAuthenticator has an option to authenticate the user using the RADIUS database.

Every time there is a change to the list of RADIUS authentication clients, two log messages are generated: one for the client change, and one to state that the RADIUS server was restarted to apply the change.

FortiAuthenticator unit allows both RADIUS and remote authentication for RADIUS authentication client entries. If you want to use a remote server, you must configure it first so that you can be select it in the RADIUS authentication client configuration, see Remote authentication servers. You can configure the built-in LDAP server before or after creating client entries, see LDAP service.

note icon

For VM appliances, the ratio for RADIUS clients is "number of max users / 3".

The number of RADIUS profiles is "number of max users x 2", because each RADIUS client might need more than one profile.

See the Maximum values table included in the latest FortiAuthenticator Release Notes for more details.

Clients

RADIUS accounting client can be managed from Authentication > RADIUS Service > Clients.

Clients can be added, imported, deleted, edited, and cloned as needed.

To configure a RADIUS accounting client:
  1. From the RADIUS client list, select Create New to add a new RADIUS client. The Add RADIUS client window opens.
  2. Enter the following information:
    note icon

    Subnets and IP ranges can be defined in the Client address field. All authentication clients within a defined subnet/IP range will share the same configuration and secret. For example, 192.168.0.0/24 would allow all 255 IP addresses to authenticate.

    This feature saves time, as the entry only takes up a single client entry in the license table.

    Name A name to identify the FortiGate unit.
    Client address The IP/Hostname, Subnet, or Range of the unit.
    Secret The RADIUS passphrase that the FortiGate unit will use.
    First profile name Enter the profile name of this RADIUS client.
    Description Optionally, enter information about the FortiGate unit.
    Apply this profile based on RADIUS attributes Enable and apply RADIUS attributes to match to this RADIUS profile from the FortiAuthenticator device's list of vendors in RADIUS Service > Custom Dictionaries.
    EAP types Select the 802.1X EAP authentication types to accept. If you require mutual authentication, select EAP-TLS.
    Device Authentication

    To allow 802.1X authentication for non-interactive devices, FortiAuthenticator can identify and bypass authentication for a device based on its MAC address.

    This is used for devices that do not allow the usual username or password input to perform 802.1X authentication, such as network printers. Enter these units in Authentication > User Management > MAC Devices.

    MAC Authentication Bypass (MAB)

    Configure MAB for certain devices, so long as their MAC addresses appear in the User-Name, User-Password, and Calling-Station-ID attributes.

    Define the authorized groups for this feature. Note that authorized groups must be first created under Authentication > User Management > User Groups, where Type must be set to MAC, and MAC devices are selected for MAC address authorization.

    In addition, you can optionally require the Call-Check attribute for MAC-based authentication too.

    AD machine authentication

    Configure AD machine authentication. Note that full access requires AD authentication of both the end point machine and user.

    In addition, you can optionally override group membership when specific user groups are machine or user authenticated.

    MAC device filtering

    Configure MAC device filtering. Define MAC address attributes, authorized groups, and action to take for unauthorized devices. The MAC address attribute indicates which RADIUS attribute to extract the MAC address from.

    MAC device filtering can be enabled for any RADIUS authentication, including Guest Portal authentication. However, when used for Guest Portals, the FortiAuthenticator needs to know which HTTP parameter to extract the MAC address from. You can enter the MAC device HTTP parameter under Authentication > Guest Portals > Portals.

    User Authentication

    Select one of the following:

    • Enforce two-factor authentication
    • Apply two-factor authentication if available (authenticate any user)
    • Password-only authentication (exclude users without a password)
    • FortiToken-only authentication (exclude users without a FortiToken)
    Enable FortiToken Mobile push notifications authentication

    Toggle on/off FTM Push notifications for RADIUS users. This setting is only controlled here on a per RADIUS client basis, not for specific users.

    Username input format

    Select one of the following three username input formats:

    • username@realm
    • realm\username
    • realm/username
    Realms

    Add realms to which the client will be associated.

    • Select a realm from the dropdown menu in the Realm column.
    • Select whether or not to allow local users to override remote users for the selected realm.
    • Select whether or not to use Windows AD domain authentication.
    • Edit the group filter as needed. That is, filter users based on the groups they are in.
    • If necessary, add more realms to the list.
    • Select the realm that will be the default realm for this client.
  3. Select OK to add the new RADIUS client.

    If authentication is failing, check that the authentication client is configured and that its IP address is correctly specified. Common causes of problems are:

    • RADIUS packets sent from an unexpected interface, or IP address.
    • NAT performed between the authentication client and FortiAuthenticator.

MAC authentication bypass

The existing MAC authentication bypass (MAB) feature (under Authentication > RADIUS Service > Clients) supports returning Access-Accept with different RADIUS attributes for unauthorized devices, and also supports explicitly blocking pre-defined groups of devices.

Profiles are applied in descending order based on matching RADIUS attributes. If the profile has no attributes to match, that profile will always be applied before any that follow.

When processing MAB for an authorized device associated with a user, the FortiAuthenticator returns the RADIUS attributes of the authorized device group(s) of which the device is a member as well as the RADIUS attributes from the group memberships of the associated user (if any). Additionally, any RADIUS attributes assigned directly to the associated user are returned.

Challenge message to support FortiToken Mobile Push for VPN clients

There are two Reply-Messages that the FortiAuthenticator can send to the FortiGate in the RADIUS ACCESS CHALLENGE messages. Each message is prefixed by an uneditable string followed by an editable string (i.e. replacement message in FortiAuthenticator):

  1. If push is not available, FortiAuthenticator will send Prefix: “” followed by Default Replaceable String: “Enter Token Code”. For example; "Enter Token Code".
  2. If push is available, FortiAuthenticator will send Prefix: “+” followed by Default Replaceable String: “Choose FTM Push or Enter Token Code”. For example:;" + Choose FTM Push or Enter Token Code".

Client profile attributes

FortiAuthenticator supports a single authentication profile for each RADIUS Auth Client. Because of this, authentication requirements (for example IPSec/SSLVPN, Web Filtering Override, Wireless Authentication, and so on) require different profiles, as RADIUS authentication requests originate from the same IP address. To distinguish the authentication requirements, you can add attributes to them.

Attributes (which can be added to authentication requirements) indicate the type of service the user has requested, or the type of service that is provided.

Each FortiAuthenticator authentication client profile can contain up to two RADIUS attributes.

To match a profile, all specified attributes in a profile must match, if not, the processing will fall to the next profile (processed in top down order).

The profiles created can be re-arranged in terms of priority. FortiAuthenticator attempts to match the RADIUS attributes from an authentication request to each profile, starting with the highest-priority profile, and moves down the list until it finds a match. FortiAuthenticator uses the first profile that it matches.

Importing authentication clients

Authentication client information can be imported as a CSV file by selecting Import from the RADIUS client list.

The CSV file has one record per line, with the record format: client name (maximum of 32 characters), FQDN or IP address (maximum of 128 characters), secret (optional, maximum of 63 characters).

Extensible Authentication Protocol

FortiAuthenticator supports several IEEE 802.1X Extensible Authentication Protocol (EAP) methods. EAP settings can be configured from Authentication > RADIUS Service > EAP. See Extensible Authentication Protocol for more information.

Services

You can optionally change the RADIUS authentication, accounting SSO, and accounting monitor ports under Authentication > RADIUS Service > Services.

By default, the ports are set to:

  • RADIUS authentication port: 1812
  • RADIUS accounting SSO port: 1813
  • RADIUS accounting monitor port: 1646
note icon When upgrading from a firmware version prior to 5.0, and the Enable RADIUS Accounting SSO clients option is enabled under Fortinet SSO Methods > SSO > General, both the SSO accounting port and the usage monitoring accounting port should remain at their default values (1813 and 1646 respectively) in order to avoid service disruption.

Custom dictionaries

The custom dictionary list enables you to view built-in vendors and their RADIUS attributes, and create new customized entries.

Go to Authentication > RADIUS Service > Custom Dictionaries to view the list.

Some services can receive information about an authenticated user through RADIUS vendor-specific attributes. FortiAuthenticator user groups and user accounts can include RADIUS attributes for Fortinet and other vendors.

Attributes in user accounts can specify user-related information. For example, the Default attribute Framed-IP-Address specifies the VPN tunnel IP address sent to the user by the Fortinet SSL VPN.

Attributes in user groups can specify more general information, applicable to the whole group. For example, specifying third-party vendor attributes to a switch could enable administrative level login to all members of the Network_Admins group, or authorize the user to the correct privilege level on the system.

To create a new custom RADIUS attribute vendor, open the Custom Vendors view and select Create New where you are prompted to upload a RADIUS dictionary file.

To add RADIUS attributes to a user or group:
  1. Go to Authentication > User Management > Local Users and select a user account to edit, or go to Authentication > User Management > User Groups and select a group to edit.
  2. In the RADIUS Attributes section, select Add Attribute. The Create New User Group RADIUS Attribute or Create New User RADIUS Attribute window opens.
  3. Select the appropriate Vendor and Attribute ID, then enter the attribute’s value in the Value field.
  4. Select OK to add the new attribute to the user or group.
  5. Repeat the above steps to add additional attributes as needed.

RADIUS service

Before FortiAuthenticator can accept RADIUS authentication requests from a FortiGate unit, the FortiGate unit must be registered as a authentication client on FortiAuthenticator.

The FortiAuthenticator RADIUS AAA (authentication, authorization, and accounting) server is already configured and running with default values. Each user account on FortiAuthenticator has an option to authenticate the user using the RADIUS database.

Every time there is a change to the list of RADIUS authentication clients, two log messages are generated: one for the client change, and one to state that the RADIUS server was restarted to apply the change.

FortiAuthenticator unit allows both RADIUS and remote authentication for RADIUS authentication client entries. If you want to use a remote server, you must configure it first so that you can be select it in the RADIUS authentication client configuration, see Remote authentication servers. You can configure the built-in LDAP server before or after creating client entries, see LDAP service.

note icon

For VM appliances, the ratio for RADIUS clients is "number of max users / 3".

The number of RADIUS profiles is "number of max users x 2", because each RADIUS client might need more than one profile.

See the Maximum values table included in the latest FortiAuthenticator Release Notes for more details.

Clients

RADIUS accounting client can be managed from Authentication > RADIUS Service > Clients.

Clients can be added, imported, deleted, edited, and cloned as needed.

To configure a RADIUS accounting client:
  1. From the RADIUS client list, select Create New to add a new RADIUS client. The Add RADIUS client window opens.
  2. Enter the following information:
    note icon

    Subnets and IP ranges can be defined in the Client address field. All authentication clients within a defined subnet/IP range will share the same configuration and secret. For example, 192.168.0.0/24 would allow all 255 IP addresses to authenticate.

    This feature saves time, as the entry only takes up a single client entry in the license table.

    Name A name to identify the FortiGate unit.
    Client address The IP/Hostname, Subnet, or Range of the unit.
    Secret The RADIUS passphrase that the FortiGate unit will use.
    First profile name Enter the profile name of this RADIUS client.
    Description Optionally, enter information about the FortiGate unit.
    Apply this profile based on RADIUS attributes Enable and apply RADIUS attributes to match to this RADIUS profile from the FortiAuthenticator device's list of vendors in RADIUS Service > Custom Dictionaries.
    EAP types Select the 802.1X EAP authentication types to accept. If you require mutual authentication, select EAP-TLS.
    Device Authentication

    To allow 802.1X authentication for non-interactive devices, FortiAuthenticator can identify and bypass authentication for a device based on its MAC address.

    This is used for devices that do not allow the usual username or password input to perform 802.1X authentication, such as network printers. Enter these units in Authentication > User Management > MAC Devices.

    MAC Authentication Bypass (MAB)

    Configure MAB for certain devices, so long as their MAC addresses appear in the User-Name, User-Password, and Calling-Station-ID attributes.

    Define the authorized groups for this feature. Note that authorized groups must be first created under Authentication > User Management > User Groups, where Type must be set to MAC, and MAC devices are selected for MAC address authorization.

    In addition, you can optionally require the Call-Check attribute for MAC-based authentication too.

    AD machine authentication

    Configure AD machine authentication. Note that full access requires AD authentication of both the end point machine and user.

    In addition, you can optionally override group membership when specific user groups are machine or user authenticated.

    MAC device filtering

    Configure MAC device filtering. Define MAC address attributes, authorized groups, and action to take for unauthorized devices. The MAC address attribute indicates which RADIUS attribute to extract the MAC address from.

    MAC device filtering can be enabled for any RADIUS authentication, including Guest Portal authentication. However, when used for Guest Portals, the FortiAuthenticator needs to know which HTTP parameter to extract the MAC address from. You can enter the MAC device HTTP parameter under Authentication > Guest Portals > Portals.

    User Authentication

    Select one of the following:

    • Enforce two-factor authentication
    • Apply two-factor authentication if available (authenticate any user)
    • Password-only authentication (exclude users without a password)
    • FortiToken-only authentication (exclude users without a FortiToken)
    Enable FortiToken Mobile push notifications authentication

    Toggle on/off FTM Push notifications for RADIUS users. This setting is only controlled here on a per RADIUS client basis, not for specific users.

    Username input format

    Select one of the following three username input formats:

    • username@realm
    • realm\username
    • realm/username
    Realms

    Add realms to which the client will be associated.

    • Select a realm from the dropdown menu in the Realm column.
    • Select whether or not to allow local users to override remote users for the selected realm.
    • Select whether or not to use Windows AD domain authentication.
    • Edit the group filter as needed. That is, filter users based on the groups they are in.
    • If necessary, add more realms to the list.
    • Select the realm that will be the default realm for this client.
  3. Select OK to add the new RADIUS client.

    If authentication is failing, check that the authentication client is configured and that its IP address is correctly specified. Common causes of problems are:

    • RADIUS packets sent from an unexpected interface, or IP address.
    • NAT performed between the authentication client and FortiAuthenticator.

MAC authentication bypass

The existing MAC authentication bypass (MAB) feature (under Authentication > RADIUS Service > Clients) supports returning Access-Accept with different RADIUS attributes for unauthorized devices, and also supports explicitly blocking pre-defined groups of devices.

Profiles are applied in descending order based on matching RADIUS attributes. If the profile has no attributes to match, that profile will always be applied before any that follow.

When processing MAB for an authorized device associated with a user, the FortiAuthenticator returns the RADIUS attributes of the authorized device group(s) of which the device is a member as well as the RADIUS attributes from the group memberships of the associated user (if any). Additionally, any RADIUS attributes assigned directly to the associated user are returned.

Challenge message to support FortiToken Mobile Push for VPN clients

There are two Reply-Messages that the FortiAuthenticator can send to the FortiGate in the RADIUS ACCESS CHALLENGE messages. Each message is prefixed by an uneditable string followed by an editable string (i.e. replacement message in FortiAuthenticator):

  1. If push is not available, FortiAuthenticator will send Prefix: “” followed by Default Replaceable String: “Enter Token Code”. For example; "Enter Token Code".
  2. If push is available, FortiAuthenticator will send Prefix: “+” followed by Default Replaceable String: “Choose FTM Push or Enter Token Code”. For example:;" + Choose FTM Push or Enter Token Code".

Client profile attributes

FortiAuthenticator supports a single authentication profile for each RADIUS Auth Client. Because of this, authentication requirements (for example IPSec/SSLVPN, Web Filtering Override, Wireless Authentication, and so on) require different profiles, as RADIUS authentication requests originate from the same IP address. To distinguish the authentication requirements, you can add attributes to them.

Attributes (which can be added to authentication requirements) indicate the type of service the user has requested, or the type of service that is provided.

Each FortiAuthenticator authentication client profile can contain up to two RADIUS attributes.

To match a profile, all specified attributes in a profile must match, if not, the processing will fall to the next profile (processed in top down order).

The profiles created can be re-arranged in terms of priority. FortiAuthenticator attempts to match the RADIUS attributes from an authentication request to each profile, starting with the highest-priority profile, and moves down the list until it finds a match. FortiAuthenticator uses the first profile that it matches.

Importing authentication clients

Authentication client information can be imported as a CSV file by selecting Import from the RADIUS client list.

The CSV file has one record per line, with the record format: client name (maximum of 32 characters), FQDN or IP address (maximum of 128 characters), secret (optional, maximum of 63 characters).

Extensible Authentication Protocol

FortiAuthenticator supports several IEEE 802.1X Extensible Authentication Protocol (EAP) methods. EAP settings can be configured from Authentication > RADIUS Service > EAP. See Extensible Authentication Protocol for more information.

Services

You can optionally change the RADIUS authentication, accounting SSO, and accounting monitor ports under Authentication > RADIUS Service > Services.

By default, the ports are set to:

  • RADIUS authentication port: 1812
  • RADIUS accounting SSO port: 1813
  • RADIUS accounting monitor port: 1646
note icon When upgrading from a firmware version prior to 5.0, and the Enable RADIUS Accounting SSO clients option is enabled under Fortinet SSO Methods > SSO > General, both the SSO accounting port and the usage monitoring accounting port should remain at their default values (1813 and 1646 respectively) in order to avoid service disruption.

Custom dictionaries

The custom dictionary list enables you to view built-in vendors and their RADIUS attributes, and create new customized entries.

Go to Authentication > RADIUS Service > Custom Dictionaries to view the list.

Some services can receive information about an authenticated user through RADIUS vendor-specific attributes. FortiAuthenticator user groups and user accounts can include RADIUS attributes for Fortinet and other vendors.

Attributes in user accounts can specify user-related information. For example, the Default attribute Framed-IP-Address specifies the VPN tunnel IP address sent to the user by the Fortinet SSL VPN.

Attributes in user groups can specify more general information, applicable to the whole group. For example, specifying third-party vendor attributes to a switch could enable administrative level login to all members of the Network_Admins group, or authorize the user to the correct privilege level on the system.

To create a new custom RADIUS attribute vendor, open the Custom Vendors view and select Create New where you are prompted to upload a RADIUS dictionary file.

To add RADIUS attributes to a user or group:
  1. Go to Authentication > User Management > Local Users and select a user account to edit, or go to Authentication > User Management > User Groups and select a group to edit.
  2. In the RADIUS Attributes section, select Add Attribute. The Create New User Group RADIUS Attribute or Create New User RADIUS Attribute window opens.
  3. Select the appropriate Vendor and Attribute ID, then enter the attribute’s value in the Value field.
  4. Select OK to add the new attribute to the user or group.
  5. Repeat the above steps to add additional attributes as needed.