Configuring RADIUS authentication
You can configure administrator authentication using a Remote Authentication Dial-In User Service (RADIUS) server.
After you complete the RADIUS server configuration and enable it, you can select it when you create an administrator user on the System > Admin > Administrator page. When RADIUS is selected, no local password option is available.
Once RADIUS is enabled, a series of checks is performed locally and at the RADIUS server level. The diagram below illustrates the RADIUS authentication flow.
The FortiDDoS-F does not currently support RADIUS VSAs or Two Factor Authentication (2FA). |
You may adjust the time FortiDDoS waits for a response from your RADIUS server or authentication proxy in System > Admin > Settings tab.
Before you begin:
- You must have Read-Write permission for System settings.
To configure a RADIUS server:
- Go to System > Authentication > RADIUS.
- Complete the configuration as described in the table below.
- Save the configuration.
RADIUS server settings
Settings | Guidelines |
---|---|
Status |
Enable/disable RADIUS Authentication. This must be enabled to configure the RADIUS Server Configuration settings. |
Primary Server Name/IP | IP address or FQDN of the primary RADIUS server. |
Primary Server Secret | RADIUS server shared secret – maximum 116 characters (special characters are allowed). |
Secondary Server Name/IP | Optional. IP address or FQDN of a backup RADIUS server. |
Secondary Server Secret | Optional. RADIUS server shared secret – maximum 116 characters (special characters are allowed). |
Port | RADIUS port. Usually, this is 1812. |
Authentication Protocol |
|
Test Connectivity | |
Test Connectivity | Select to test connectivity using a test username and password specified next. Click the Test button before you save the configuration. |
Username | Username for the connectivity test. |
Password | Corresponding password. |
config system authentication radius set state {enable|disable} set primary-server <ip|domain> set primary-secret <string> set backup-server <ip|domain> set backup-secret <string> set port <port> set authprot {auto|chap|mschap|mschapv|pap} end |