Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAuthenticator 6.5.4 Administration Guide
    6.5.4
    6.6.2
    6.6.1
    6.6.0
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.1
    4.2.0

    RADIUS

    RADIUS

    If you have existing RADIUS servers, you may choose to continue using them with FortiAuthenticator by configuring them as remote RADIUS servers. This feature can also be used to migrate away from third-party two-factor authentication platforms.

    When entering the remote RADIUS server information, if any information is missing or in the wrong format, error messages will highlight the problem for you.
    To add a remote RADIUS server entry:
    1. Go to Authentication > Remote Auth. Servers > RADIUS and select Create New. The Create New RADIUS Server window opens.
    2. Enter the following information, then select Save to add the RADIUS server.
      NameEnter the name for the remote RADIUS server on FortiAuthenticator.
      Preferred auth. method

      Select from either MSCHAPv2 (by default), MSCHAP, CHAP, PAP, or Proxy.

      Note: The Proxy option allows FortiAuthenticator to proxy RADIUS authentication sessions without changing the authentication method, meaning FortiAuthenticator passes the authentication credentials sent by the RADIUS client through to the remote RADIUS server unchanged.

      Timeout

      Enter a timeout in seconds between 1-60 seconds (3 by default).

      Note that a high timeout may impact the processing rate of authentication requests if the remote RADIUS server becomes unresponsive.

      Include realm in username

      Enable for eduroam services.

      When enabled, the username string sent to the remote RADIUS server is the same as the username string received from the RADIUS client.

      FortiAuthenticator can now keep the realm portion of the username before proxying.

      This allows FortiAuthenticator to route the RADIUS authentication requests through a hierarchy of RADIUS authentication proxy servers.

      Note: The option is disabled by default.

      Primary ServerEnter the server name or IP address, port, and secret in the fields provided to configure the primary server.
      Secondary Server (Optional Redundancy)Optionally, add redundancy by configuring a secondary server.
      User Migration

      Select Enable learning mode to record and learn users that authenticate against this RADIUS server. This option should be enabled if you need to migrate users from the server to the FortiAuthenticator.

    Previous
    Next

    RADIUS

    RADIUS

    If you have existing RADIUS servers, you may choose to continue using them with FortiAuthenticator by configuring them as remote RADIUS servers. This feature can also be used to migrate away from third-party two-factor authentication platforms.

    When entering the remote RADIUS server information, if any information is missing or in the wrong format, error messages will highlight the problem for you.
    To add a remote RADIUS server entry:
    1. Go to Authentication > Remote Auth. Servers > RADIUS and select Create New. The Create New RADIUS Server window opens.
    2. Enter the following information, then select Save to add the RADIUS server.
      NameEnter the name for the remote RADIUS server on FortiAuthenticator.
      Preferred auth. method

      Select from either MSCHAPv2 (by default), MSCHAP, CHAP, PAP, or Proxy.

      Note: The Proxy option allows FortiAuthenticator to proxy RADIUS authentication sessions without changing the authentication method, meaning FortiAuthenticator passes the authentication credentials sent by the RADIUS client through to the remote RADIUS server unchanged.

      Timeout

      Enter a timeout in seconds between 1-60 seconds (3 by default).

      Note that a high timeout may impact the processing rate of authentication requests if the remote RADIUS server becomes unresponsive.

      Include realm in username

      Enable for eduroam services.

      When enabled, the username string sent to the remote RADIUS server is the same as the username string received from the RADIUS client.

      FortiAuthenticator can now keep the realm portion of the username before proxying.

      This allows FortiAuthenticator to route the RADIUS authentication requests through a hierarchy of RADIUS authentication proxy servers.

      Note: The option is disabled by default.

      Primary ServerEnter the server name or IP address, port, and secret in the fields provided to configure the primary server.
      Secondary Server (Optional Redundancy)Optionally, add redundancy by configuring a secondary server.
      User Migration

      Select Enable learning mode to record and learn users that authenticate against this RADIUS server. This option should be enabled if you need to migrate users from the server to the FortiAuthenticator.

    Previous
    Next