RADIUS Authentication

Using RADIUS authentication, users can use a remote account to log in to FortiExtender. RADIUS authentication uses the default port 1812 and requires configuring a RADIUS server. Once you configure the RADIUS server, apply it to a user group. FortiExtender will refer to the user group to authenticate the remote account.

To configure the FortiExtender to use RADIUS authentication - CLI

1. Configure the FortiExtender to access a RADIUS server.

   config user radius
       edit example_radius
           set server <IPv4 address>set secret <password>
           set auth-type auto
           set timeout 5
           set transport-protocol udp
           set nas-ip <IPv4 address>
       next
   end
   

   Parameter	Description
   name	Name of the RADIUS server table.
   server	Primary RADIUS server IP address.
   secret	Pre-shared secret key used to access the primary RADIUS server. Character range is 1-128.
   auth-type	Authentication protocols permitted for this RADIUS server. You can select the following options: auto (default) ms_chap_v2 ms_chap chap pap If the authentication type is set to auto, FortiExtender uses the following protocols in sequence: PAP → MSCHAP_v2 → CHAP FortiExtender will only try the next protocol once it receives a RADIUS-reject message
   timeout	Time in seconds to retry connecting to the RADIUS server. Default = 5.
   transport-protocol	Transport protocol to be used. Default = udp.
   nas-ip	IP address used for the FortiExtender to communicate with the RADIUS server. It is also used as the NAS-IP-Address and Called-Station-ID attributes.

2. Apply the RADIUS server table to a user group.

   config user group
       edit group1
           set member [RADIUS server name1] [RADIUS server name2]
       next
   end
   

   Parameter	Description
   name	Name of the FortiExtender user group.
   member	Names of users and RADIUS server tables you want to add to the user group. You can apply multiple RADIUS server tables to a user group.

3. Enable remote access on FortiExtender.

   config system admin
       edit remote1
           set accprofile super_admin
           set remote-auth enable
           set wildcard enable
           set password ENC *
           set remote-group group1
           set trusthost1
           set trusthost2
       next
   end
   

   Parameter	Description
   remote-auth	Enable/disable authentication using a remote RADIUS server
   wildcard	Enable/disable wildcard RADIUS authentication
   remote-group	Enter the FortiExtender user group name you want to use for remote authentication. Note: If remote-auth is enabled, remote-group becomes mandatory. Otherwise remote-group is hidden. If remote-auth is enabled but wildcard is disabled, you must set a local password. If the RADIUS server is unreachable, FortiExtender uses the local password. For other situations, such as if FortiExtender receives a RADIUS reject message, the local password is omitted.
   password	Admin user password Note: If wildcard is enabled, you cannot set a password.

   If wildcard is enabled, the remote user can share the account and log in without needing to create multiple user accounts. That means, you can use the user and password pair stored in the remote server without needing to match the table name. See the following example:

   config system admin
       edit "rs_admin"
           set remote-auth enable
           set accprofile "super_admin"
           set wildcard enableset remote-group "user"
       next
   end
   

   Only one wildcard remote account is allowed to exist under system admin.

4. Verify that the RADIUS server connection is successful.

   execute test authserver radius <server_name> <chap | pap | mschap | mschap2> <username> <password>
       <server_name>:                      radius server table name
       <auto | chap | pap | mschap | mschap2>:    choose a protocol
       <username>:                         enter user name
       <password>:                         enter password
   

   execute test authserver radius-direct <IP> <port number (0 default port)> <udp> <secret> <pap | chap | mschap | mschap2> <user> <password>
       <IP>:                               RADIUS server IP
       <port number (0 default port)>:     choose default port number
       <udp>:                              choose transport protocol
       <secret>:                           authserver pre-key
       <auto | chap | pap | mschap | mschap2>:    choose a protocol
       <username>:                         enter user name
       <password>:                         enter password
   

To configure the FortiExtender to use RADIUS authentication - GUI

1. Configure the FortiExtender to access a RADIUS server.

   1. From the FortiExtender GUI, go to User & Auth and select the RADIUS Servers tab.

      

   2. Click Create RADIUS Server and enter your RADIUS server configurations.

   3. When you are finished, click Save.

2. Apply the RADIUS server table to a user group.

   1. Go to User & Auth and select Create User Group or edit an existing user group.

   2. In the RADIUS Servers field, select the RADIUS server you previously configured.

   3. When you are finished, click Save.

3. Enable remote access on FortiExtender.

   1. Go to Settings > Access Control and select Create Admin or edit an existing Admin profile.

      

   2. In the Type field, select from the following options:

      • Local User: Disable remote authentication.
      • Match a user on a remote server group: Enable remote authentication, wildcard is disabled.
      • Match all users in a remote server group: Remote authentication is enabled, wildcard is also enabled.

   3. When you are finished, click Save.

4. Verify that the RADIUS server connection is successful.

   1. Go to User & Auth > RADIUS Servers and edit the RADIUS server you configured.

   2. Click Test Connectivity and Test User Credential to verify the connection.