The FortiAuthenticator RADIUS AAA (authentication, authorization, and accounting) server is already configured and running with default values. Each user account on FortiAuthenticator has an option to authenticate the user using the RADIUS database.
Every time there is a change to the list of RADIUS authentication clients, two log messages are generated: one for the client change, and one to state that the RADIUS server was restarted to apply the change.
FortiAuthenticator unit allows both RADIUS and remote authentication for RADIUS authentication client entries. If you want to use a remote server, you must configure it first so that you can be select it in the RADIUS authentication client configuration, see Remote authentication servers. You can configure the built-in LDAP server before or after creating client entries, see LDAP service.
For VM appliances, the ratio for RADIUS clients is "number of max users / 3".
The number of RADIUS profiles is "number of max users x 2", because each RADIUS client might need more than one profile.
See the Maximum values table included in the latest FortiAuthenticator Release Notes for more details.
RADIUS accounting client can be managed from Authentication > RADIUS Service > Clients.
Clients can be added, imported, deleted, edited, and cloned as needed.
- From the RADIUS client list, select Create New to add a new RADIUS client. The Add RADIUS client window opens.
- Enter the following information:
Subnets and IP ranges can be defined in the Client address field. All authentication clients within a defined subnet/IP range will share the same configuration and secret. For example, 192.168.0.0/24 would allow all 255 IP addresses to authenticate.
This feature saves time, as the entry only takes up a single client entry in the license table.
- Select OK to add the new RADIUS client.
If authentication is failing, check that the authentication client is configured and that its IP address is correctly specified. Common causes of problems are:
- RADIUS packets sent from an unexpected interface, or IP address.
- NAT performed between the authentication client and FortiAuthenticator.
The existing MAC authentication bypass (MAB) feature (under Authentication > RADIUS Service > Clients) supports returning Access-Accept with different RADIUS attributes for unauthorized devices, and also supports explicitly blocking pre-defined groups of devices.
Profiles are applied in descending order based on matching RADIUS attributes. If the profile has no attributes to match, that profile will always be applied before any that follow.
When processing MAB for an authorized device associated with a user, the FortiAuthenticator returns the RADIUS attributes of the authorized device group(s) of which the device is a member as well as the RADIUS attributes from the group memberships of the associated user (if any). Additionally, any RADIUS attributes assigned directly to the associated user are returned.
There are two Reply-Messages that the FortiAuthenticator can send to the FortiGate in the RADIUS ACCESS CHALLENGE messages. Each message is prefixed by an uneditable string followed by an editable string (i.e. replacement message in FortiAuthenticator):
- If push is not available, FortiAuthenticator will send Prefix: “” followed by Default Replaceable String: “Enter Token Code”. For example; "Enter Token Code".
- If push is available, FortiAuthenticator will send Prefix: “+” followed by Default Replaceable String: “Choose FTM Push or Enter Token Code”. For example:;" + Choose FTM Push or Enter Token Code".
FortiAuthenticator supports a single authentication profile for each RADIUS Auth Client. Because of this, authentication requirements (for example IPSec/SSLVPN, Web Filtering Override, Wireless Authentication, and so on) require different profiles, as RADIUS authentication requests originate from the same IP address. To distinguish the authentication requirements, you can add attributes to them.
Attributes (which can be added to authentication requirements) indicate the type of service the user has requested, or the type of service that is provided.
Each FortiAuthenticator authentication client profile can contain up to two RADIUS attributes.
To match a profile, all specified attributes in a profile must match, if not, the processing will fall to the next profile (processed in top down order).
The profiles created can be re-arranged in terms of priority. FortiAuthenticator attempts to match the RADIUS attributes from an authentication request to each profile, starting with the highest-priority profile, and moves down the list until it finds a match. FortiAuthenticator uses the first profile that it matches.
FortiAuthenticator supports several IEEE 802.1X Extensible Authentication Protocol (EAP) methods. EAP settings can be configured from Authentication > RADIUS Service > EAP. See Extensible Authentication Protocol for more information.
You can optionally change the RADIUS authentication, accounting SSO, and accounting monitor ports under Authentication > RADIUS Service > Services.
By default, the ports are set to:
- RADIUS authentication port: 1812
- RADIUS accounting SSO port: 1813
- RADIUS accounting monitor port: 1646
|When upgrading from a firmware version prior to 5.0, and the Enable RADIUS Accounting SSO clients option is enabled under Fortinet SSO Methods > SSO > General, both the SSO accounting port and the usage monitoring accounting port should remain at their default values (1813 and 1646 respectively) in order to avoid service disruption.|
The custom dictionary list enables you to view built-in vendors and their RADIUS attributes, and create new customized entries.
Go to Authentication > RADIUS Service > Custom Dictionaries to view the list.
Some services can receive information about an authenticated user through RADIUS vendor-specific attributes. FortiAuthenticator user groups and user accounts can include RADIUS attributes for Fortinet and other vendors.
Attributes in user accounts can specify user-related information. For example, the Default attribute Framed-IP-Address specifies the VPN tunnel IP address sent to the user by the Fortinet SSL VPN.
Attributes in user groups can specify more general information, applicable to the whole group. For example, specifying third-party vendor attributes to a switch could enable administrative level login to all members of the Network_Admins group, or authorize the user to the correct privilege level on the system.
To create a new custom RADIUS attribute vendor, open the Custom Vendors view and select Create New where you are prompted to upload a RADIUS dictionary file.
- Go to Authentication > User Management > Local Users and select a user account to edit, or go to Authentication > User Management > User Groups and select a group to edit.
- In the RADIUS Attributes section, select Add Attribute. The Create New User Group RADIUS Attribute or Create New User RADIUS Attribute window opens.
- Select the appropriate Vendor and Attribute ID, then enter the attribute’s value in the Value field.
- Select OK to add the new attribute to the user or group.
- Repeat the above steps to add additional attributes as needed.