Fortinet white logo
Fortinet white logo

Administration Guide

RADIUS service

RADIUS service

The FortiAuthenticator RADIUS AAA (authentication, authorization, and accounting) server is already configured and running with default values. Each user account on FortiAuthenticator has an option to allow authentication using the RADIUS database.

Before FortiAuthenticator will accept RADIUS authentication requests from a device, it must be registered as a authentication client on FortiAuthenticator, and it must be assigned a RADIUS policy.

When changes are made to RADIUS authentication clients and policies, log messages are generated to confirm the admin configuration change, and to state that the RADIUS server was restarted to apply the change.

FortiAuthenticator allows both RADIUS and remote authentication for RADIUS configurations. If you want to use a remote server, you must configure it first. See Remote authentication servers. You can configure the built-in LDAP server before or after creating client entries, see LDAP service.

note icon

For VM appliances, the ratio for RADIUS clients is "number of max users / 3".

The number of RADIUS policies is "number of max users x 2", because each RADIUS client might need more than one policy.

See the Maximum values table included in the latest FortiAuthenticator Release Notes for more details.

Tooltip

Beginning in 6.1.0, RADIUS authentication logic is determined by policies, created in Authentication > RADIUS Service > Policies.

When upgrading from a version prior to 6.1.0, existing RADIUS client configurations are migrated into clients and policies with corresponding settings.

This section contains the following topics:

RADIUS service

RADIUS service

The FortiAuthenticator RADIUS AAA (authentication, authorization, and accounting) server is already configured and running with default values. Each user account on FortiAuthenticator has an option to allow authentication using the RADIUS database.

Before FortiAuthenticator will accept RADIUS authentication requests from a device, it must be registered as a authentication client on FortiAuthenticator, and it must be assigned a RADIUS policy.

When changes are made to RADIUS authentication clients and policies, log messages are generated to confirm the admin configuration change, and to state that the RADIUS server was restarted to apply the change.

FortiAuthenticator allows both RADIUS and remote authentication for RADIUS configurations. If you want to use a remote server, you must configure it first. See Remote authentication servers. You can configure the built-in LDAP server before or after creating client entries, see LDAP service.

note icon

For VM appliances, the ratio for RADIUS clients is "number of max users / 3".

The number of RADIUS policies is "number of max users x 2", because each RADIUS client might need more than one policy.

See the Maximum values table included in the latest FortiAuthenticator Release Notes for more details.

Tooltip

Beginning in 6.1.0, RADIUS authentication logic is determined by policies, created in Authentication > RADIUS Service > Policies.

When upgrading from a version prior to 6.1.0, existing RADIUS client configurations are migrated into clients and policies with corresponding settings.

This section contains the following topics: