Policies
RADIUS policy configuration is available in Authentication > RADIUS Service > Policies.
FortiAuthenticator RADIUS authentication requires that RADIUS clients are assigned one or more policies. Policies can be created for Password/OTP, MAC authentication bypass (MAB), and EAP-TLS authentication.
To distinguish authentication requirements for clients, RADIUS attributes can be added to policies to indicate the type of service the user has requested or the type of service that is provided. Each policy can contain up to two RADIUS attributes.
FortiAuthenticator attempts to match the RADIUS attributes from an authentication request to each policy, starting with the top policy in the list, and moves down until a match is found. Policy priority can be re-ordered by selecting the up and down icons next to each policy in the list.
To configure a RADIUS policy:
- Go to Authentication > RADIUS Service > Policies, and click Create New to add a new RADIUS policy.
The RADIUS Policy Creation Wizard is launched. - Configure the RADIUS policy:
Displayed configuration settings vary depending on the Authentication type selected. The list below contains all possible settings, but only settings that are applicable to your configuration are shown in the GUI.
RADIUS clients
The policy name, description, and clients.
Policy name Enter a name to identify the RADIUS policy.
Description Optionally, provide a description of the policy. RADIUS clients Choose the clients to which this policy applies.
For more information, see Clients.
RADIUS attribute criteria
The attributes that must be present in the RADIUS authentication request in order to be processed by this policy. RADIUS authentication request must contain specific attributes When enabled, RADIUS authentication requests must contain specific attributes from the FortiAuthenticator's list of vendors, viewable at Authentication > RADIUS Service > Dictionaries.
Authentication type
The type of end-user authentication used by this policy. Password/OTP authentication Configure password or one-time password authentication on selected realms.
When Accept EAP is enabled, password/OTP authentication can be configured to accept EAP, including PEAP, EAP-TTLS, EAP-GTC, and EAP-MSCHAPv2.
EAP settings are only relevant for the EAP sessions terminated by FortiAuthenticator and not for the EAP sessions proxied to the remote RADIUS servers.
MAC authentication bypass (MAB)
Configure MAC authentication bypass (MAB) for certain devices, provided their MAC addresses appear in the User-Name, User-Password, and Calling-Station-ID attributes.
Client Certificates (EAP-TLS)
Configure client certificates (EAP-TLS) to verify the certificate provided by the end-user. A certificate is deemed valid if ALL of the following conditions match the certificate binding settings of one of the configured local or remote users:
- End-user certificate "Subject" has a CN value AND that value matches the "Common name" certificate binding setting of one of the configured local or remote users.
- End-user certificate "Issuer" matches the "CA" certificate binding setting of that same configured user account.
- End-user certificate is properly signed.
- End-user certificate is NOT expired.
For example, if an end-user provides a certificate with the following fields:
- Subject:
CN=SAM, OU=Sales, DC=Company, DC=com
- Issuer:
CN=MyCA, OU=IT, DC=Company, DC=com
- Properly signed and not expired.
This certificate would be deemed valid if it matches a configured user account with the following certificate binding settings:
- Common name:
Sam
- CA:
CN=MyCA, OU=IT, DC=Company, DC=com
Identity source
The identity sources against which to authenticate end-users.
Identity source settings vary depending on the authentication type selected.
Authentication mode
Select from the following two options:
Certificate bindings: Legacy mode that uses certificate bindings.
Trusted CA(s): Accepts all the valid client certificates signed by one of the trusted CAs.
This allows FortiAuthenticator to successfully authenticate any endpoint presenting a valid client certificate signed by one of the trusted CA certificates.
When the Authentication mode is set as Trusted CA(s), the RADIUS daemon ignores any configured certificate bindings and only verifies that the client certificate is:
Signed by one of the trusted CAs
Not expired
Not revoked (if CRL is configured)
Note: This option is only available when the Authentication type is Client Certificates (EAP-TLS).
Eduroam
Enable to force settings to the values required in an eduroam environment.
Note: The option is only available when the Authentication mode is Certificate bindings.
Username format
Select one of the following three username input formats:
- username@realm
- realm\username
- realm/username
These settings are only displayed for Password/OTP and EAP-TLS authentication.
Note: The option is only available when the Authentication mode is Certificate bindings.
Use default realm when user-provided realm is different from all configured realms
When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.
Note: The option is only available when the Authentication mode is Certificate bindings.
Realms
Add realms to which the client will be associated.
- Select a realm from the dropdown menu in the Realm column.
- Select whether or not to allow local users to override remote users for the selected realm.
- Select whether or not to use Windows AD domain authentication. See Windows AD domain authentication.
- Edit the group filter as needed to filter users based on the groups they are in.
- If necessary, add more realms to the list.
- Select the realm that will be the default realm for this client.
For RADIUS policies with Use Windows AD Domain Authentication enabled, Windows Server 2008 is not supported.
These settings are only displayed for Password/OTP and EAP-TLS authentication.
When editing group filters for remote RADIUS realms, you can enable Allow remote LDAP groups to allow the selection of remote LDAP groups.
Note: The option is only available when the Authentication mode is Certificate bindings.
Require Call-Check attribute for MAC-based authentication
Optionally, you can require the Call-Check attribute for MAC-based authentication.
Notes:
The option is disabled by default.
The option is only displayed when the Authentication type is MAC authentication bypass (MAB).
Authorized groups
From the dropdown, select authorized MAC devices groups.
If a MAC device is a member of one of the authorized MAC groups, FortiAuthenticator accepts MAB authentication requests for the device.
Note: The option is only displayed when the Authentication type is MAC authentication bypass (MAB).
Blocked groups
From the dropdown, select blocked MAC devices groups.
If a MAC device is a member of one of the blocked MAC groups, FortiAuthenticator rejects the MAB authetication requests for the device.
Note: The option is only displayed when the Authentication type is MAC authentication bypass (MAB).
Local CA certificates
From the dropdown, select local CA certificates.
Note: The option is only available when the Authentication mode is Trusted CA(s).
Trusted CA certificates
From the dropdown, select trusted CA certificates.
Note: The option is only available when the Authentication mode is Trusted CA(s).
Authentication factors
The authentication factors to verify.
Authentication factor settings are only displayed for Password/OTP and EAP-TLS authentication types.
Authentication type
Select one of the following:
- Mandatory password and OTP: Two-factor authentication is required for every user.
- All configured password and OTP factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
- Password-only: Authenticate users through password verification only. User accounts for which password authentication is disabled cannot be authenticated.
- OTP-only: Authenticate users through token verification only. User accounts for which token authentication is disabled cannot be authenticated.
Adaptive Authentication
Enable this option if you would like to have certain users bypass the OTP validation, so long as they belong to a trusted subnet.
Select All trusted subnets to add all the available trusted subnets.
You can specify the trusted subnets by selecting Specify trusted subnets and clicking the pen icon. This opens a window where you can choose from a list of available trusted subnets.
Adaptive Authentication is available only for the following authentication types:
Mandatory password and OTP
All configured password and OTP factors
Device authorization
When the Authentication type is Password/OTP authentication and Verify MAC address in authentication requests is enabled, you can add MAC devices groups to the Authorized groups field. Only the MAC devices that are members of at least one of the MAC devices groups are authorized to proceed with authentication.
If the MAC device is a member of an authorized MAC devices group, FortiAuthenticator validates the authentication request.
If the MAC device is not a member of an authorized MAC devices group, FortiAuthenticator rejects the request.
Advanced Options
Allow FortiToken Mobile push notifications
Enable this setting to allow FortiToken Mobile push notifications for RADIUS users.
This setting is controlled on a per RADIUS client basis, not for specific users.
Trigger push without RADIUS challenge (warning: NOT recommended if using with FortiGate RADIUS clients)
When enabled, FortiAuthenticator triggers the FortiToken Mobile push notification once the password is verified without requiring the end-user to respond "push" to a RADIUS challenge.
Limitations:
Entering OTP manually is only possible by concatenating the password and OTP in the initial credential submissions.
Suppose the end-user forgets to concatenate the OTP in the original credentials submission, or the push notification does not reach the FortiToken Mobile. In that case, the end-user must wait 30 seconds to up to a few minutes before receiving the authentication failure message.
Note: The option is disabled by default.
Application name for FTM push notification
Enter the client application name. This field is displayed on the FortiToken app.
When creating a new policy or upgrading to FortiAuthenticator 6.6, the policy name is the default client application name.
Resolve user geolocation from their IP address
Enable to resolve the user geolocation from their IP address (if possible).
Reject usernames containing uppercase letters
Enable this setting to reject usernames that contain uppercase letters.
Allow OTP for EAP-MSCHAPv2 Authentication with Forticlient
Enable this setting to allow OTP for EAP-MSCHAPv2 authentication with FortiClient.
Note: The option is only available when the Authentication type is Password/OTP authentication with Accept EAP > EAP-MSCHAPv2 enabled.
RADIUS response
The content of the RADIUS authentication response based on the outcome of the authentication.
When the AD Computer Authentication Result is successful and the user is not authenticated yet, you can select between the following RADIUS attribute response options:
Return User Group Attributes: Returns RADIUS attributes configured in the user groups that the computer is a member of.
Return Additional Attributes.
By default, Return User Group Attributes is disabled and Return Additional Attributes is available.
If Return User Group Attributes is enabled then Return Additional Attributes becomes unavailable.
For EAP-TLS RADIUS policies with Authentication mode set as Trusted CA(s), since FortiAuthenticator does not match the authenticating endpoints with a user account, FortiAuthenticator cannot use RADIUS attributes specified in user accounts or user groups to return in the RADIUS Accept-Accept response. The EAP-TLS RADIUS policy allows specifying a set of RADIUS attributes to be included in all Accept-Accept responses.
When the Authentication mode is Trusted CA(s), the RADIUS response tab includes a new Additional Attributes pane. In the Additional Attributes pane, you can add RADIUS attributes to be included with the Accept-Accept response.
The Additional Attributes pane is similar to the Additional Attributes For MAC Authentication Bypass pane available in the RADIUS response tab when the Authentication type is MAC authentication bypass (MAB).
For Authentication type set as MAC authentication bypass (MAB) and given that the MAC device is not a member of either the Authorized groups or Blocked groups set up in the Identity sources tab, FortiAuthenticator accepts or rejects the MAB authentication requests depending on the response that you have set up for Unauthorized setting in the RADIUS response tab.
The following two options are available:
Access-Accept
Access-Reject
- Select Save to add the new RADIUS policy.
Windows AD domain authentication
Windows AD domain authentication can be enabled to allow for PEAP-MSCHAPv2 (802.1x) over RADIUS.
When enabled, authentication is performed using NTLM once the FortiAuthenticator has joined the AD domain, replacing the default LDAP authentication process. The ports used with Windows AD domain authentication are TCP/88, 135, 139, and 445.
When determining which LDAP server to authenticate users against, the domain provides a list of domain controllers, and FortiAuthenticator cycles round-robin through them when joining the domain instead of using the primary/secondary IP/FQDN from the remote LDAP server settings. Enabling Preferred Domain Controller Hostname will limit the round-robin activity to the DCs specified by this setting.