Fortinet black logo

Handbook

6.2.3
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

Configuring RADIUS authentication

Configuring RADIUS authentication

You can configure administrator authentication using a Remote Authentication Dial-In User Service (RADIUS) server.

After you complete the RADIUS server configuration and enable it, you can select it when you create an administrator user on the System > Admin > Administrator page. When RADIUS is selected, no local password option is available. You also specify the SPP or SPP Policy Group assignment, trusted host list, and access profile for that user.

If RADIUS is enabled, when a user logs in, an authentication request is made to the remote RADIUS server. If authentication succeeds, and the user has a configuration on the System > Admin > Administrator page, the SPP or SPP Policy Group assignment, trusted host list, and access profile are applied. If the user does not have a configuration on the System > Admin > Administrator page, these assignments are obtained from the Default Access Strategy settings described below.

If your RADIUS server supports Two-Factor Authentication (2FA), from Release 5.1.0, FortiDDoS will display a field for entry of the 2FA token, after your credentials have been entered.

You may adjust the time FortiDDoS waits for a response from your RADIUS server or authentication proxy in System > Admin > Settings tab.

Before you begin:

  • You must have Read-Write permission for System settings.
To configure a RADIUS server:
  1. Go to System > Authentication > RADIUS.
  2. Complete the configuration as described in the table below.
  3. Save the configuration.

RADIUS server settings

Settings Guidelines
Status Select to enable RADIUS server configuration or deselect to disable.
Primary Server Name/IP IP address or FQDN of the primary RADIUS server.
Primary Server Secret RADIUS server shared secret – maximum 116 characters (special characters are allowed).
Secondary Server Name/IP Optional. IP address or FQDN of a backup RADIUS server.
Secondary Server Secret Optional. RADIUS server shared secret – maximum 116 characters (special characters are allowed).
Port RADIUS port. Usually, this is 1812.
Authentication Protocol
  • Auto—If you leave this default value, the system uses MSCHAP2.
  • PAP—Password Authentication Protocol
  • CHAP—Challenge Handshake Authentication Protocol (defined in RFC 1994)
  • MSCHAP—Microsoft CHAP (defined in RFC 2433)
  • MSCHAP2—Microsoft CHAP version 2 (defined in RFC 2759)
Test Connectivity
Test Connectivity Select to test connectivity using a test username and password specified next. Click the Test button before you save the configuration.
Username Username for the connectivity test.
Password Corresponding password.
Default Access Strategy for remote RADIUS user
Is System Admin If the user is regarded as a System Administrator with access to all SPPs, select Yes or else click No.
Is SPP Admin This option is available only if Is System Admin is set to 'No'.
Yes - Administrator for only one SPP.
No - Neither system admin nor admin to SPP. Administrator for specific policy group.
Default SPP Policy Group If the user is not a System or SPP Admin, select the Default SPP Policy Group from the drop-down. You must have SPP Polices (subnets) and SPP Policy Groups configured before you can make this selection.
Service Protection Profile If the user is an SPP Admin, select the SPP profile that the SPP Admin manages.
Trusted Hosts Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator can connect only from the computer or subnets you specify.

Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network.

If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal.

To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:192.0.2.2/322001:0db8:85a3:::8a2e:0370:7334/128

To allow login attempts from any IP address (not recommended), enter:0.0.0.0/0.0.0.0.

Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

Tip: If you allow login from the Internet, set a longer and more complex password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area.

Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.
Access Profile Select a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords.

Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.

RADIUS server configuration page

RADIUS server configuration guidelines

config system authentication radius  
  set state {enable|disable}
  set primary-server <ip|domain>
  set primary-secret <string>
  set backup-server <ip|domain>
  set backup-secret <string>
  set port <port>
  set authprot {auto|chap|mschap|mschapv|pap}
  set is-system-admin {yes|no}
  set is-spp-admin {yes|no}
  set dft-domain <SPP>
  set dft-accprofile <profile>
  set dft-trusted-hosts <CIDR list>
end

FortiDDoS Vendor Specific Attributes (VSA)

Release 4.5.0 onwards includes the following VSAs for MSSP feature. Release 4.4.2 and earlier included the first three VSAs.

VSA Number Value
ATTRIBUTE Fortinet-FDD-Access-Profile 30 User-defined or predefined profile.
ATTRIBUTE Fortinet-FDD-Trusted-Hosts 31 The Source IP address and netmask from which the administrator is allowed to log in.
ATTRIBUTE Fortinet-FDD-SPP-Name 32 Name of the SPP profile that the SPP Admin manages.
ATTRIBUTE Fortinet-FDD-IS-SYSTEM-ADMIN 33 System Administrator with access to all SPPs.
ATTRIBUTE Fortinet-FDD-IS-SPP-ADMIN 34 Administrator for all SPPs or else Administrator for selected SPPs only.
ATTRIBUTE Fortinet-FDD-SPP-POLICY-GROUP 35 User profile with access to the graphs and reports specific to a SPP policy group.

Configuring FortiAuthenticator for FDDoS Radius Authentication

Follow the steps below to configure FortiAuthenticator for FDDoS Radius Authentication:

  1. Log in to FortiAuthenticator.
  2. Go to Authentication > RADIUS Service > Clients.
  3. Click Create New.
  4. Enter the following information:
    1. Name - Radius client name
    2. Client address - IP/Hostname, Subnet or Range of the client
    3. Secret - secret code for authentication between FortiAuthenticator and FortiDDoS
  5. Click OK.
  6. Go to Authentication > RADIUS Service > Custom Dictionaries and click FortiDDoS.
  7. Ensure that all FortiDDoS VSAs are available in the list.

  8. Go to Authentication > User Management > Local Users.
  9. Click Create New to create a new local user.
    1. Enter a username.
    2. Select a Password creation from the available options:
      • Set and email a random password
      • No password, FortiToken authentication only
  10. Select Allow RADIUS authentication and click OK.
  11. Select the RADIUS Attributes drop-down and click Add Attribute to create new user RADIUS attributes.
  12. Enter the following information to add each FortiDDoS VSA:
    1. Vendor: Select Fortinet from the drop-down.
    2. Attribute ID: Select the FortiDDoS VSA from the drop-down.
    3. Value: Enter the value based on the FortiDDoS VSA selected.
  13. Repeat Step 11 until all FortiDDoS VSAs are added.
  14. Click OK.

Previous
Next

Configuring RADIUS authentication

You can configure administrator authentication using a Remote Authentication Dial-In User Service (RADIUS) server.

After you complete the RADIUS server configuration and enable it, you can select it when you create an administrator user on the System > Admin > Administrator page. When RADIUS is selected, no local password option is available. You also specify the SPP or SPP Policy Group assignment, trusted host list, and access profile for that user.

If RADIUS is enabled, when a user logs in, an authentication request is made to the remote RADIUS server. If authentication succeeds, and the user has a configuration on the System > Admin > Administrator page, the SPP or SPP Policy Group assignment, trusted host list, and access profile are applied. If the user does not have a configuration on the System > Admin > Administrator page, these assignments are obtained from the Default Access Strategy settings described below.

If your RADIUS server supports Two-Factor Authentication (2FA), from Release 5.1.0, FortiDDoS will display a field for entry of the 2FA token, after your credentials have been entered.

You may adjust the time FortiDDoS waits for a response from your RADIUS server or authentication proxy in System > Admin > Settings tab.

Before you begin:

  • You must have Read-Write permission for System settings.
To configure a RADIUS server:
  1. Go to System > Authentication > RADIUS.
  2. Complete the configuration as described in the table below.
  3. Save the configuration.

RADIUS server settings

Settings Guidelines
Status Select to enable RADIUS server configuration or deselect to disable.
Primary Server Name/IP IP address or FQDN of the primary RADIUS server.
Primary Server Secret RADIUS server shared secret – maximum 116 characters (special characters are allowed).
Secondary Server Name/IP Optional. IP address or FQDN of a backup RADIUS server.
Secondary Server Secret Optional. RADIUS server shared secret – maximum 116 characters (special characters are allowed).
Port RADIUS port. Usually, this is 1812.
Authentication Protocol
  • Auto—If you leave this default value, the system uses MSCHAP2.
  • PAP—Password Authentication Protocol
  • CHAP—Challenge Handshake Authentication Protocol (defined in RFC 1994)
  • MSCHAP—Microsoft CHAP (defined in RFC 2433)
  • MSCHAP2—Microsoft CHAP version 2 (defined in RFC 2759)
Test Connectivity
Test Connectivity Select to test connectivity using a test username and password specified next. Click the Test button before you save the configuration.
Username Username for the connectivity test.
Password Corresponding password.
Default Access Strategy for remote RADIUS user
Is System Admin If the user is regarded as a System Administrator with access to all SPPs, select Yes or else click No.
Is SPP Admin This option is available only if Is System Admin is set to 'No'.
Yes - Administrator for only one SPP.
No - Neither system admin nor admin to SPP. Administrator for specific policy group.
Default SPP Policy Group If the user is not a System or SPP Admin, select the Default SPP Policy Group from the drop-down. You must have SPP Polices (subnets) and SPP Policy Groups configured before you can make this selection.
Service Protection Profile If the user is an SPP Admin, select the SPP profile that the SPP Admin manages.
Trusted Hosts Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator can connect only from the computer or subnets you specify.

Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network.

If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal.

To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:192.0.2.2/322001:0db8:85a3:::8a2e:0370:7334/128

To allow login attempts from any IP address (not recommended), enter:0.0.0.0/0.0.0.0.

Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

Tip: If you allow login from the Internet, set a longer and more complex password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area.

Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.
Access Profile Select a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords.

Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.

RADIUS server configuration page

RADIUS server configuration guidelines

config system authentication radius  
  set state {enable|disable}
  set primary-server <ip|domain>
  set primary-secret <string>
  set backup-server <ip|domain>
  set backup-secret <string>
  set port <port>
  set authprot {auto|chap|mschap|mschapv|pap}
  set is-system-admin {yes|no}
  set is-spp-admin {yes|no}
  set dft-domain <SPP>
  set dft-accprofile <profile>
  set dft-trusted-hosts <CIDR list>
end

FortiDDoS Vendor Specific Attributes (VSA)

Release 4.5.0 onwards includes the following VSAs for MSSP feature. Release 4.4.2 and earlier included the first three VSAs.

VSA Number Value
ATTRIBUTE Fortinet-FDD-Access-Profile 30 User-defined or predefined profile.
ATTRIBUTE Fortinet-FDD-Trusted-Hosts 31 The Source IP address and netmask from which the administrator is allowed to log in.
ATTRIBUTE Fortinet-FDD-SPP-Name 32 Name of the SPP profile that the SPP Admin manages.
ATTRIBUTE Fortinet-FDD-IS-SYSTEM-ADMIN 33 System Administrator with access to all SPPs.
ATTRIBUTE Fortinet-FDD-IS-SPP-ADMIN 34 Administrator for all SPPs or else Administrator for selected SPPs only.
ATTRIBUTE Fortinet-FDD-SPP-POLICY-GROUP 35 User profile with access to the graphs and reports specific to a SPP policy group.

Configuring FortiAuthenticator for FDDoS Radius Authentication

Follow the steps below to configure FortiAuthenticator for FDDoS Radius Authentication:

  1. Log in to FortiAuthenticator.
  2. Go to Authentication > RADIUS Service > Clients.
  3. Click Create New.
  4. Enter the following information:
    1. Name - Radius client name
    2. Client address - IP/Hostname, Subnet or Range of the client
    3. Secret - secret code for authentication between FortiAuthenticator and FortiDDoS
  5. Click OK.
  6. Go to Authentication > RADIUS Service > Custom Dictionaries and click FortiDDoS.
  7. Ensure that all FortiDDoS VSAs are available in the list.

  8. Go to Authentication > User Management > Local Users.
  9. Click Create New to create a new local user.
    1. Enter a username.
    2. Select a Password creation from the available options:
      • Set and email a random password
      • No password, FortiToken authentication only
  10. Select Allow RADIUS authentication and click OK.
  11. Select the RADIUS Attributes drop-down and click Add Attribute to create new user RADIUS attributes.
  12. Enter the following information to add each FortiDDoS VSA:
    1. Vendor: Select Fortinet from the drop-down.
    2. Attribute ID: Select the FortiDDoS VSA from the drop-down.
    3. Value: Enter the value based on the FortiDDoS VSA selected.
  13. Repeat Step 11 until all FortiDDoS VSAs are added.
  14. Click OK.

Previous
Next