Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.a
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    26.1.a
    26.1.a
    26.1.0
    25.4.0
    25.3.0

    RADIUS Server

    RADIUS Server

    Perform this procedure to add a RADIUS server to a network and then use this server to authenticate wireless clients.

    1. On the FortiEdge Cloud Home page, select the network to which you want to add the RADIUS server.
    2. In the Menu bar, navigate to Configuration > User Access Control > My RADIUS server.
    3. Click Add My RADIUS Server.
    4. Complete the following fields:

      Name

      Type a name for My RADIUS Server.

      NAS IP

      Type the IP address of the network access server (NAS).

      This field is optional.

      Primary server name/IP

      Type the server name or IP address of the primary RADIUS server.

      Primary server secret

      Type the secret key of the primary RADIUS server.

      Secondary server name/IP

      Type the server name or IP address of the secondary RADIUS server.

      This field is optional.

      Secondary server secret

      Type the secret key of the secondary RADIUS server.

      This field is optional.

      Server port

      If the RADIUS server is not using the default port, then type the server port.

      The default is 1812.

      NAS ID

      This option enables the use of a third-party captive portal with FortiEdge Cloud. When adding a RADIUS server, you can now configure the static NAS-ID for both FortiEdge Cloud acting as a RADIUS client and the FortiAP acting as a RADIUS client. When deploying a wireless network with WPA-Enterprise and RADIUS authentication, or using the RADIUS MAC authentication feature, FortiEdge Cloud can use the custom NAS-ID in its access request.

      The following NAS ID Type are the supported in this release.

      • Legacy – When FortiEdge Cloud serves as the RADIUS authenticator, the NAS ID value is FortiEdge Cloud. When FortiAP serves as the RADIUS authenticator, the NAS ID value is VAP followed by the radio index and the WLAN ID. For example, vap03, where 0 is the radio ID and 3 is the WLAN ID.

      • Hostname – When FortiEdge Cloud serves as the RADIUS authenticator, its hostname is the NAS ID. Likewise, when FortiAP serves as the RADIUS authenticator, its hostname is the NAS ID

      • Custom – You can define your own NAS ID value.

      Note: The default is set to Legacy and requires FortiAP version 7.4.2 or higher.

      Auth Protocol

      Select the authentication protocol only to authenticate wireless clients that connect to captive portal enabled networks. If you select Auto, then the protocols are tried in this order.

      • PEAP
      • MSCHAPv2
      • MSCHAPv1
      • CHAP
      • PAP

      TLS Version

      Select the TLS version for the PEAP authentication protocol.

      CoA enable

      Enable Change of Authorization (CoA) to allow the RADIUS server to adjust active client sessions. The AP disconnects user sessions when it receives a Disconnect-Request from the RADIUS server.

      Account all servers

      Enable this option to use both primary and secondary RADIUS servers for authentication.

      Case sensitive username

      Enable case sensitive RADIUS user name.

      RadSec

      FortiEdge Cloud can establish an encrypted connection between the FortiAP (RADIUS client) and the RADIUS server, in order to secure communication channels for all RADIUS traffic. This is done using RadSec and is especially useful in roaming environments, where the traffic passes through multiple untrusted domains and networks. This feature ensures encrypted and trusted connections.

      RadSec operates over the UDP, TCP, and TLS transport protocols and is supported when either FortiEdge Cloud or a FortiAP acts as a RADIUS client. You can configure the FortiAP as a RADIUS client in the associated SSID. The FortiAP uses the configured parameters on this page to initiate a secure connection, ensuring secure transport of authentication requests.

      Select RadSec enable to secure communication between the FortiAP and the RADIUS server. This is disabled by default.

      Select the Transport Protocol and configure the following for TLS.

      • Protocol Version – The supported protocol versions are SSLv3, TLSv1, TLSv1-1, TLSv1-2, TLSv1-3.

      • CA Certificate – The CA certificate ensures secure authentication for the RADIUS server when RADSEC is enabled. The only file format supported is .cer with a maximum permissible size of 8 Kb.

      • Client Certificate – The client certificate ensures that the FortiAP is securely authenticated. The only file format supported is .cer with a maximum permissible size of 8 Kb.

      Notes:

      • In case of TLS transport protocol RadSec traffic flows from port 2083.

      • RadSec is best implemented over TCP/TLS to meet security and reliability standards.

    5. To complete the addition of the RADIUS server, click Apply.
    Previous
    Next

    RADIUS Server

    RADIUS Server

    Perform this procedure to add a RADIUS server to a network and then use this server to authenticate wireless clients.

    1. On the FortiEdge Cloud Home page, select the network to which you want to add the RADIUS server.
    2. In the Menu bar, navigate to Configuration > User Access Control > My RADIUS server.
    3. Click Add My RADIUS Server.
    4. Complete the following fields:

      Name

      Type a name for My RADIUS Server.

      NAS IP

      Type the IP address of the network access server (NAS).

      This field is optional.

      Primary server name/IP

      Type the server name or IP address of the primary RADIUS server.

      Primary server secret

      Type the secret key of the primary RADIUS server.

      Secondary server name/IP

      Type the server name or IP address of the secondary RADIUS server.

      This field is optional.

      Secondary server secret

      Type the secret key of the secondary RADIUS server.

      This field is optional.

      Server port

      If the RADIUS server is not using the default port, then type the server port.

      The default is 1812.

      NAS ID

      This option enables the use of a third-party captive portal with FortiEdge Cloud. When adding a RADIUS server, you can now configure the static NAS-ID for both FortiEdge Cloud acting as a RADIUS client and the FortiAP acting as a RADIUS client. When deploying a wireless network with WPA-Enterprise and RADIUS authentication, or using the RADIUS MAC authentication feature, FortiEdge Cloud can use the custom NAS-ID in its access request.

      The following NAS ID Type are the supported in this release.

      • Legacy – When FortiEdge Cloud serves as the RADIUS authenticator, the NAS ID value is FortiEdge Cloud. When FortiAP serves as the RADIUS authenticator, the NAS ID value is VAP followed by the radio index and the WLAN ID. For example, vap03, where 0 is the radio ID and 3 is the WLAN ID.

      • Hostname – When FortiEdge Cloud serves as the RADIUS authenticator, its hostname is the NAS ID. Likewise, when FortiAP serves as the RADIUS authenticator, its hostname is the NAS ID

      • Custom – You can define your own NAS ID value.

      Note: The default is set to Legacy and requires FortiAP version 7.4.2 or higher.

      Auth Protocol

      Select the authentication protocol only to authenticate wireless clients that connect to captive portal enabled networks. If you select Auto, then the protocols are tried in this order.

      • PEAP
      • MSCHAPv2
      • MSCHAPv1
      • CHAP
      • PAP

      TLS Version

      Select the TLS version for the PEAP authentication protocol.

      CoA enable

      Enable Change of Authorization (CoA) to allow the RADIUS server to adjust active client sessions. The AP disconnects user sessions when it receives a Disconnect-Request from the RADIUS server.

      Account all servers

      Enable this option to use both primary and secondary RADIUS servers for authentication.

      Case sensitive username

      Enable case sensitive RADIUS user name.

      RadSec

      FortiEdge Cloud can establish an encrypted connection between the FortiAP (RADIUS client) and the RADIUS server, in order to secure communication channels for all RADIUS traffic. This is done using RadSec and is especially useful in roaming environments, where the traffic passes through multiple untrusted domains and networks. This feature ensures encrypted and trusted connections.

      RadSec operates over the UDP, TCP, and TLS transport protocols and is supported when either FortiEdge Cloud or a FortiAP acts as a RADIUS client. You can configure the FortiAP as a RADIUS client in the associated SSID. The FortiAP uses the configured parameters on this page to initiate a secure connection, ensuring secure transport of authentication requests.

      Select RadSec enable to secure communication between the FortiAP and the RADIUS server. This is disabled by default.

      Select the Transport Protocol and configure the following for TLS.

      • Protocol Version – The supported protocol versions are SSLv3, TLSv1, TLSv1-1, TLSv1-2, TLSv1-3.

      • CA Certificate – The CA certificate ensures secure authentication for the RADIUS server when RADSEC is enabled. The only file format supported is .cer with a maximum permissible size of 8 Kb.

      • Client Certificate – The client certificate ensures that the FortiAP is securely authenticated. The only file format supported is .cer with a maximum permissible size of 8 Kb.

      Notes:

      • In case of TLS transport protocol RadSec traffic flows from port 2083.

      • RadSec is best implemented over TCP/TLS to meet security and reliability standards.

    5. To complete the addition of the RADIUS server, click Apply.
    Previous
    Next