Fortinet black logo

CLI Reference

user radius

user radius

Use this command to add or edit information used for RADIUS authentication. You may set different ports for each of your RADIUS servers, of which you can configure a maximum of ten.

note icon

If your RADIUS server uses a different port, other than the default RADIUS port of 1812, you can change the default RADIUS port here using the radius-port setting.

Please note that radius-port is set to a default of 0. When this is the case, the global system-wide port is used. To see the global RADIUS port, enter the following command:

show full system global | grep rad

Note: All RADIUS Single-Sign On (RSSO) and other SSO related entries are only available when rsso is set to enable.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set acct-all-servers {enable | disable}

Enable or disable (by default) sending accounting messages to all configured servers.

config user radius
    edit {name}
    # Configure RADIUS server entries.
        set name {string}   RADIUS server entry name. size[35]
        set server {string}   Primary RADIUS server CN domain name or IP address. size[63]
        set secret {password_string}   Pre-shared secret key used to access the primary RADIUS server. size[128]
        set secondary-server {string}   {<name_str|ip_str>} secondary RADIUS CN domain name or IP. size[63]
        set secondary-secret {password_string}   Secret key to access the secondary server. size[128]
        set tertiary-server {string}   {<name_str|ip_str>} tertiary RADIUS CN domain name or IP. size[63]
        set tertiary-secret {password_string}   Secret key to access the tertiary server. size[128]
        set timeout {integer}   Time in seconds between re-sending authentication requests. range[1-300]
        set all-usergroup {disable | enable}   Enable/disable automatically including this RADIUS server in all user groups.
        set use-management-vdom {enable | disable}   Enable/disable using management VDOM to send requests.
        set nas-ip {ipv4 address}   IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.
        set acct-interim-interval {integer}   Time in seconds between each accounting interim update message. range[600-86400]
        set radius-coa {enable | disable}   Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated.
        set radius-port {integer}   RADIUS service port number. range[0-65535]
        set h3c-compatibility {enable | disable}   Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication.
        set auth-type {option}   Authentication methods/protocols permitted for this RADIUS server.
                auto        Use PAP, MSCHAP_v2, and CHAP (in that order).
                ms_chap_v2  Microsoft Challenge Handshake Authentication Protocol version 2.
                ms_chap     Microsoft Challenge Handshake Authentication Protocol.
                chap        Challenge Handshake Authentication Protocol.
                pap         Password Authentication Protocol.
        set source-ip {string}   Source IP address for communications to the RADIUS server. size[63]
        set username-case-sensitive {enable | disable}   Enable/disable case sensitive user names.
        config class
            edit {name}
            # Class attribute name(s).
                set name {string}   Class name. size[64]
            next
        set password-renewal {enable | disable}   Enable/disable password renewal.
        set password-encoding {auto | ISO-8859-1}   Password encoding.
                auto        Use original password encoding.
                ISO-8859-1  Use ISO-8859-1 password encoding.
        set acct-all-servers {enable | disable}   Enable/disable sending of accounting messages to all configured servers (default = disable).
        set rsso {enable | disable}   Enable/disable RADIUS based single sign on feature.
        set rsso-radius-server-port {integer}   UDP port to listen on for RADIUS Start and Stop records. range[0-65535]
        set rsso-radius-response {enable | disable}   Enable/disable sending RADIUS response packets after receiving Start and Stop records.
        set rsso-validate-request-secret {enable | disable}   Enable/disable validating the RADIUS request shared secret in the Start or End record.
        set rsso-secret {password_string}   RADIUS secret used by the RADIUS accounting server. size[31]
        set rsso-endpoint-attribute {option}   RADIUS attributes used to extract the user end point identifer from the RADIUS Start record.
                User-Name              Use this attribute.
                NAS-IP-Address         Use this attribute.
                Framed-IP-Address      Use this attribute.
                Framed-IP-Netmask      Use this attribute.
                Filter-Id              Use this attribute.
                Login-IP-Host          Use this attribute.
                Reply-Message          Use this attribute.
                Callback-Number        Use this attribute.
                Callback-Id            Use this attribute.
                Framed-Route           Use this attribute.
                Framed-IPX-Network     Use this attribute.
                Class                  Use this attribute.
                Called-Station-Id      Use this attribute.
                Calling-Station-Id     Use this attribute.
                NAS-Identifier         Use this attribute.
                Proxy-State            Use this attribute.
                Login-LAT-Service      Use this attribute.
                Login-LAT-Node         Use this attribute.
                Login-LAT-Group        Use this attribute.
                Framed-AppleTalk-Zone  Use this attribute.
                Acct-Session-Id        Use this attribute.
                Acct-Multi-Session-Id  Use this attribute.
        set rsso-endpoint-block-attribute {option}   RADIUS attributes used to block a user.
                User-Name              Use this attribute.
                NAS-IP-Address         Use this attribute.
                Framed-IP-Address      Use this attribute.
                Framed-IP-Netmask      Use this attribute.
                Filter-Id              Use this attribute.
                Login-IP-Host          Use this attribute.
                Reply-Message          Use this attribute.
                Callback-Number        Use this attribute.
                Callback-Id            Use this attribute.
                Framed-Route           Use this attribute.
                Framed-IPX-Network     Use this attribute.
                Class                  Use this attribute.
                Called-Station-Id      Use this attribute.
                Calling-Station-Id     Use this attribute.
                NAS-Identifier         Use this attribute.
                Proxy-State            Use this attribute.
                Login-LAT-Service      Use this attribute.
                Login-LAT-Node         Use this attribute.
                Login-LAT-Group        Use this attribute.
                Framed-AppleTalk-Zone  Use this attribute.
                Acct-Session-Id        Use this attribute.
                Acct-Multi-Session-Id  Use this attribute.
        set sso-attribute {option}   RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record.
                User-Name              Use this attribute.
                NAS-IP-Address         Use this attribute.
                Framed-IP-Address      Use this attribute.
                Framed-IP-Netmask      Use this attribute.
                Filter-Id              Use this attribute.
                Login-IP-Host          Use this attribute.
                Reply-Message          Use this attribute.
                Callback-Number        Use this attribute.
                Callback-Id            Use this attribute.
                Framed-Route           Use this attribute.
                Framed-IPX-Network     Use this attribute.
                Class                  Use this attribute.
                Called-Station-Id      Use this attribute.
                Calling-Station-Id     Use this attribute.
                NAS-Identifier         Use this attribute.
                Proxy-State            Use this attribute.
                Login-LAT-Service      Use this attribute.
                Login-LAT-Node         Use this attribute.
                Login-LAT-Group        Use this attribute.
                Framed-AppleTalk-Zone  Use this attribute.
                Acct-Session-Id        Use this attribute.
                Acct-Multi-Session-Id  Use this attribute.
        set sso-attribute-key {string}   Key prefix for SSO group value in the SSO attribute. size[35]
        set sso-attribute-value-override {enable | disable}   Enable/disable override old attribute value with new value for the same endpoint.
        set rsso-context-timeout {integer}   Time in seconds before the logged out user is removed from the "user context list" of logged on users. range[0-4294967295]
        set rsso-log-period {integer}   Time interval in seconds that group event log messages will be generated for dynamic profile events. range[0-4294967295]
        set rsso-log-flags {option}   Events to log.
                protocol-error          Enable this log type.
                profile-missing         Enable this log type.
                accounting-stop-missed  Enable this log type.
                accounting-event        Enable this log type.
                endpoint-block          Enable this log type.
                radiusd-other           Enable this log type.
                none                    Disable all logging.
        set rsso-flush-ip-session {enable | disable}   Enable/disable flushing user IP sessions on RADIUS accounting Stop messages.
        set rsso-ep-one-ip-only {enable | disable}   Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.
        config accounting-server
            edit {id}
            # Additional accounting servers.
                set id {integer}   ID (0 - 4294967295). range[0-4294967295]
                set status {enable | disable}   Status.
                set server {string}   {<name_str|ip_str>} Server CN domain name or IP. size[63]
                set secret {password_string}   Secret key. size[128]
                set port {integer}   RADIUS accounting port number. range[0-65535]
                set source-ip {string}   Source IP address for communications to the RADIUS server. size[63]
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

acct-interim-interval <seconds>

Note: This entry is only available when rsso is set to disable. Period of time in seconds between each accounting interim update message. Set the value between 600-86400 (or ten minutes to one day). The default is set to 0.

all-usergroup {enable | disable}

Note: This entry is only available when rsso is set to disable. Enable or disable (by default) automatically including this RADIUS server to all user groups.

auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}

Note: This entry is only available when rsso is set to disable. Authentication method for this RADIUS server.

  • auto: Automatic authentication setting, uses pap, ms_chap_v2, and chap. This is set by default.
  • ms_chap_v2: MS-CHAPv2
  • ms_chap: MS-CHAP
  • chap: Challenge-Handshake Authentication Protocol
  • pap: Password Authentication Protocol

class <name>

Class attribute name(s).

h3c-compatibility {enable | disable}

Enable or disable (by default) compatibility with the H3C's intelligent Management Center (iMC). When enabled, the supplicant requests 802.1X authentication and then sends a second phase security check request to the H3C IMC server.

nas-ip <ip>

Note: This entry is only available when rsso is set to disable. IP address of FortiGate interface used to communicate with the RADIUS server, and used as NAS-IP-Address and Called-Station-Id attribute in RADIUS access requests (see the rsso-endpoint-attribute entry below for full list of attributes).

password-renewal {enable | disable}

Enable or disable (by default) implementation of password renewal.

radius-coa {enable | disable}

Enable or disable (by default) RADIUS Change of Authorization (CoA), a mechanism that can change the attributes of an authentication, authorization, and accounting (AAA) session after it is authenticated.

radius-port <port>

Note: This entry is only available when rsso is set to disable. RADIUS service port number. Set the value between 0-65535. The default is set to 0.

rsso {enable | disable}

Enable (or disable by default) RADIUS SSO (RSSO) to set a variety of options and configure an RSSO agent. FortiOS will then accept connections on the port defined in the rsso-radius-server-port entry (see entry below).

rsso-context-timeout <seconds>

Period of time in seconds before the logged on user is removed from the "user context list" of logged on users. Set the value between 1-4294967295 (or one second to 136+ years), or 0 for users you want to remain on the list. The default is set to 28800 (or eight hours). This timeout is only necessary if FortiOS doesn’t receive RADIUS Stop records. However it's advisable to set a timeout in case the FortiGate unit misses a Stop record.

rsso-endpoint-attribute <attribute>

Note: All attributes listed below are also available under the rsso-endpoint-block-attribute and sso-attribute entries. To extract the user end point identifier from the RADIUS Start record, this entry must be set to the name of the RADIUS attribute that contains the end point identifier. The RADIUS attribute must match one of the attributes available. Attributes are case sensitive. The default is set to Calling-Station-IdCalling-Station-Id. Select from the table shown below:

User-Name Login-IP-Host Called-Station-Id Acct-Output-Octets
User-Password Login-Service Calling-Station-Id Acct-Session-Id
CHAP-Password Login-TCP-Port NAS-Identifier Acct-Authentic
NAS-IP-Address Reply-Message Proxy-State Acct-Session-Time
NAS-Port Callback-Number Login-LAT-Service Acct-Input-Packets
Service-Type Callback-Id Login-LAT-Node Acct-Output-Packets
Framed-Protocol Framed-Route Login-LAT-Group Acct-Terminate-Cause
Framed-IP-Address Framed-IPX-Network Framed-AppleTalk-Link Acct-Multi-Session-Id
Framed-IP-Netmask State Framed-AppleTalk-Network Acct-Link-Count
Framed-Routing Class Framed-AppleTalk-Zone CHAP-Challenge
Filter-Id Session-Timeout Acct-Status-Type NAS-Port-Type
Framed-MTU Idle-Timeout Acct-Delay-Time Port-Limit
Framed-Compression Termination-Action Acct-Input-Octets Login-LAT-Port

rsso-endpoint-block-attribute <attribute>

RADIUS attribute used to block a user. See the rsso-endpoint-attribute entry for a full list of the attributes available.

rsso-ep-one-ip-only {enable | disable}

Enable or disable (by default) the replacement of old IP addresses with new IP addresses for the same endpoint on RADIUS accounting Start messages.

rsso-flush-ip-session {enable | disable}

Enable (or disable by default) to flush user IP sessions on RADIUS accounting Stop messages.

rsso-log-flags {protocol-error | profile-missing | accounting-stop-missed | accounting-event | endpoint-block | radiusd-other | none}

Defines how event log messages are written. Multiple options can be set, each separated by a space.

  • protocol-error: Writes an event log message if RADIUS protocol errors occur. For example, if a RADIUS record contains a RADIUS secret that does not match the one added to the dynamic profile.
  • profile-missing: Writes an event log message whenever FortiOS cannot find a group name in a RADIUS Start message that matches the name of an RSSO user group in FortiOS.
  • accounting-stop-missed: Writes an event log message whenever a user context entry timeout expires indicating that FortiOS removed an entry from the user context list without receiving a RADIUS Stop message.
  • accounting-event: Writes an event log message when FortiOS does not find the expected information in a RADIUS Record. For example, if a RADIUS record contains more than the expected number of addresses.
  • endpoint-block: Writes an event log message whenever a user is blocked.
  • radiusd-other: Writes an event log message for other events. For example, write a log message if the memory limit for the user context list is reached and the oldest entries in the table have been dropped.
  • none: Disable logging of RADIUS SSO events.

rsso-log-period <seconds>

Time interval in seconds that FortiOS will generate group event log messages for dynamic profile events. This is to avoid generating groups of event log messages continuously. Each log message contains the number of events of that type occurred. Set the value between 1-4294967295 (or one second to 136+ years), or 0 (by default) to generate all event log messages in real time.

rsso-radius-response {enable | disable}

Enable (or disable by default) FortiOS to send RADIUS responses after receiving RADIUS Start and Stop records.

rsso-radius-server-port <port>

The connection that FortiOS listens for RADIUS Start and Stop records on this port. Set the value between 0-65535. The default is set to 1813. If necessary, change the UDP port number used by the RADIUS accounting server for sending RADIUS records.

rsso-secret <password>

RADIUS secret used by the RADIUS accounting server.

rsso-validate-request-secret {enable | disable}

Enable (or disable by default) FortiOS to verify that the RADIUS secret matches the RADIUS secret in the RADIUS Start or End record. Verifying the RADIUS secret confirms the RADIUS record as valid.

secret <key>

Note: This entry is only available when rsso is set to disable. RADIUS server shared secret key. The key should be a maximum of 16 characters in length.

server <name/ip>

Note: This entry is only available when rsso is set to disable. RADIUS server domain name or IP address (host name must comply with RFC1035).

source-ip <ip>

Note: This entry is only available when rsso is set to disable. Source IP for communications to the RADIUS server.

sso-attribute <attribute>

Name of the RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record. The default is set to Class. See the rsso-endpoint-attribute entry for a full list of the attributes available.

sso-attribute-key <key>

Key prefix for SSO group value in the SSO attribute, with a maximum length of 36 characters.

sso-attribute-value-override {enable | disable}

Enable (by default) or disable overriding old attribute with a new attribute for the same endpoint.

timeout <timeout>

Period of time in seconds between re-sending authentication requests. Set the value between 1-300. The default is set to 5. These requests occur during the remoteauthtimeout period set in the system global command.

use-management-vdom {enable | disable}

Note: This entry is only available when rsso is set to disable. Enable or disable (by default) using the management VDOM to send requests.

username-case-sensitive {enable | disable}

Enable or disable (by default) implementation of username case-sensitivity.

user radius

Use this command to add or edit information used for RADIUS authentication. You may set different ports for each of your RADIUS servers, of which you can configure a maximum of ten.

note icon

If your RADIUS server uses a different port, other than the default RADIUS port of 1812, you can change the default RADIUS port here using the radius-port setting.

Please note that radius-port is set to a default of 0. When this is the case, the global system-wide port is used. To see the global RADIUS port, enter the following command:

show full system global | grep rad

Note: All RADIUS Single-Sign On (RSSO) and other SSO related entries are only available when rsso is set to enable.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set acct-all-servers {enable | disable}

Enable or disable (by default) sending accounting messages to all configured servers.

config user radius
    edit {name}
    # Configure RADIUS server entries.
        set name {string}   RADIUS server entry name. size[35]
        set server {string}   Primary RADIUS server CN domain name or IP address. size[63]
        set secret {password_string}   Pre-shared secret key used to access the primary RADIUS server. size[128]
        set secondary-server {string}   {<name_str|ip_str>} secondary RADIUS CN domain name or IP. size[63]
        set secondary-secret {password_string}   Secret key to access the secondary server. size[128]
        set tertiary-server {string}   {<name_str|ip_str>} tertiary RADIUS CN domain name or IP. size[63]
        set tertiary-secret {password_string}   Secret key to access the tertiary server. size[128]
        set timeout {integer}   Time in seconds between re-sending authentication requests. range[1-300]
        set all-usergroup {disable | enable}   Enable/disable automatically including this RADIUS server in all user groups.
        set use-management-vdom {enable | disable}   Enable/disable using management VDOM to send requests.
        set nas-ip {ipv4 address}   IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.
        set acct-interim-interval {integer}   Time in seconds between each accounting interim update message. range[600-86400]
        set radius-coa {enable | disable}   Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated.
        set radius-port {integer}   RADIUS service port number. range[0-65535]
        set h3c-compatibility {enable | disable}   Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication.
        set auth-type {option}   Authentication methods/protocols permitted for this RADIUS server.
                auto        Use PAP, MSCHAP_v2, and CHAP (in that order).
                ms_chap_v2  Microsoft Challenge Handshake Authentication Protocol version 2.
                ms_chap     Microsoft Challenge Handshake Authentication Protocol.
                chap        Challenge Handshake Authentication Protocol.
                pap         Password Authentication Protocol.
        set source-ip {string}   Source IP address for communications to the RADIUS server. size[63]
        set username-case-sensitive {enable | disable}   Enable/disable case sensitive user names.
        config class
            edit {name}
            # Class attribute name(s).
                set name {string}   Class name. size[64]
            next
        set password-renewal {enable | disable}   Enable/disable password renewal.
        set password-encoding {auto | ISO-8859-1}   Password encoding.
                auto        Use original password encoding.
                ISO-8859-1  Use ISO-8859-1 password encoding.
        set acct-all-servers {enable | disable}   Enable/disable sending of accounting messages to all configured servers (default = disable).
        set rsso {enable | disable}   Enable/disable RADIUS based single sign on feature.
        set rsso-radius-server-port {integer}   UDP port to listen on for RADIUS Start and Stop records. range[0-65535]
        set rsso-radius-response {enable | disable}   Enable/disable sending RADIUS response packets after receiving Start and Stop records.
        set rsso-validate-request-secret {enable | disable}   Enable/disable validating the RADIUS request shared secret in the Start or End record.
        set rsso-secret {password_string}   RADIUS secret used by the RADIUS accounting server. size[31]
        set rsso-endpoint-attribute {option}   RADIUS attributes used to extract the user end point identifer from the RADIUS Start record.
                User-Name              Use this attribute.
                NAS-IP-Address         Use this attribute.
                Framed-IP-Address      Use this attribute.
                Framed-IP-Netmask      Use this attribute.
                Filter-Id              Use this attribute.
                Login-IP-Host          Use this attribute.
                Reply-Message          Use this attribute.
                Callback-Number        Use this attribute.
                Callback-Id            Use this attribute.
                Framed-Route           Use this attribute.
                Framed-IPX-Network     Use this attribute.
                Class                  Use this attribute.
                Called-Station-Id      Use this attribute.
                Calling-Station-Id     Use this attribute.
                NAS-Identifier         Use this attribute.
                Proxy-State            Use this attribute.
                Login-LAT-Service      Use this attribute.
                Login-LAT-Node         Use this attribute.
                Login-LAT-Group        Use this attribute.
                Framed-AppleTalk-Zone  Use this attribute.
                Acct-Session-Id        Use this attribute.
                Acct-Multi-Session-Id  Use this attribute.
        set rsso-endpoint-block-attribute {option}   RADIUS attributes used to block a user.
                User-Name              Use this attribute.
                NAS-IP-Address         Use this attribute.
                Framed-IP-Address      Use this attribute.
                Framed-IP-Netmask      Use this attribute.
                Filter-Id              Use this attribute.
                Login-IP-Host          Use this attribute.
                Reply-Message          Use this attribute.
                Callback-Number        Use this attribute.
                Callback-Id            Use this attribute.
                Framed-Route           Use this attribute.
                Framed-IPX-Network     Use this attribute.
                Class                  Use this attribute.
                Called-Station-Id      Use this attribute.
                Calling-Station-Id     Use this attribute.
                NAS-Identifier         Use this attribute.
                Proxy-State            Use this attribute.
                Login-LAT-Service      Use this attribute.
                Login-LAT-Node         Use this attribute.
                Login-LAT-Group        Use this attribute.
                Framed-AppleTalk-Zone  Use this attribute.
                Acct-Session-Id        Use this attribute.
                Acct-Multi-Session-Id  Use this attribute.
        set sso-attribute {option}   RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record.
                User-Name              Use this attribute.
                NAS-IP-Address         Use this attribute.
                Framed-IP-Address      Use this attribute.
                Framed-IP-Netmask      Use this attribute.
                Filter-Id              Use this attribute.
                Login-IP-Host          Use this attribute.
                Reply-Message          Use this attribute.
                Callback-Number        Use this attribute.
                Callback-Id            Use this attribute.
                Framed-Route           Use this attribute.
                Framed-IPX-Network     Use this attribute.
                Class                  Use this attribute.
                Called-Station-Id      Use this attribute.
                Calling-Station-Id     Use this attribute.
                NAS-Identifier         Use this attribute.
                Proxy-State            Use this attribute.
                Login-LAT-Service      Use this attribute.
                Login-LAT-Node         Use this attribute.
                Login-LAT-Group        Use this attribute.
                Framed-AppleTalk-Zone  Use this attribute.
                Acct-Session-Id        Use this attribute.
                Acct-Multi-Session-Id  Use this attribute.
        set sso-attribute-key {string}   Key prefix for SSO group value in the SSO attribute. size[35]
        set sso-attribute-value-override {enable | disable}   Enable/disable override old attribute value with new value for the same endpoint.
        set rsso-context-timeout {integer}   Time in seconds before the logged out user is removed from the "user context list" of logged on users. range[0-4294967295]
        set rsso-log-period {integer}   Time interval in seconds that group event log messages will be generated for dynamic profile events. range[0-4294967295]
        set rsso-log-flags {option}   Events to log.
                protocol-error          Enable this log type.
                profile-missing         Enable this log type.
                accounting-stop-missed  Enable this log type.
                accounting-event        Enable this log type.
                endpoint-block          Enable this log type.
                radiusd-other           Enable this log type.
                none                    Disable all logging.
        set rsso-flush-ip-session {enable | disable}   Enable/disable flushing user IP sessions on RADIUS accounting Stop messages.
        set rsso-ep-one-ip-only {enable | disable}   Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.
        config accounting-server
            edit {id}
            # Additional accounting servers.
                set id {integer}   ID (0 - 4294967295). range[0-4294967295]
                set status {enable | disable}   Status.
                set server {string}   {<name_str|ip_str>} Server CN domain name or IP. size[63]
                set secret {password_string}   Secret key. size[128]
                set port {integer}   RADIUS accounting port number. range[0-65535]
                set source-ip {string}   Source IP address for communications to the RADIUS server. size[63]
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

acct-interim-interval <seconds>

Note: This entry is only available when rsso is set to disable. Period of time in seconds between each accounting interim update message. Set the value between 600-86400 (or ten minutes to one day). The default is set to 0.

all-usergroup {enable | disable}

Note: This entry is only available when rsso is set to disable. Enable or disable (by default) automatically including this RADIUS server to all user groups.

auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}

Note: This entry is only available when rsso is set to disable. Authentication method for this RADIUS server.

  • auto: Automatic authentication setting, uses pap, ms_chap_v2, and chap. This is set by default.
  • ms_chap_v2: MS-CHAPv2
  • ms_chap: MS-CHAP
  • chap: Challenge-Handshake Authentication Protocol
  • pap: Password Authentication Protocol

class <name>

Class attribute name(s).

h3c-compatibility {enable | disable}

Enable or disable (by default) compatibility with the H3C's intelligent Management Center (iMC). When enabled, the supplicant requests 802.1X authentication and then sends a second phase security check request to the H3C IMC server.

nas-ip <ip>

Note: This entry is only available when rsso is set to disable. IP address of FortiGate interface used to communicate with the RADIUS server, and used as NAS-IP-Address and Called-Station-Id attribute in RADIUS access requests (see the rsso-endpoint-attribute entry below for full list of attributes).

password-renewal {enable | disable}

Enable or disable (by default) implementation of password renewal.

radius-coa {enable | disable}

Enable or disable (by default) RADIUS Change of Authorization (CoA), a mechanism that can change the attributes of an authentication, authorization, and accounting (AAA) session after it is authenticated.

radius-port <port>

Note: This entry is only available when rsso is set to disable. RADIUS service port number. Set the value between 0-65535. The default is set to 0.

rsso {enable | disable}

Enable (or disable by default) RADIUS SSO (RSSO) to set a variety of options and configure an RSSO agent. FortiOS will then accept connections on the port defined in the rsso-radius-server-port entry (see entry below).

rsso-context-timeout <seconds>

Period of time in seconds before the logged on user is removed from the "user context list" of logged on users. Set the value between 1-4294967295 (or one second to 136+ years), or 0 for users you want to remain on the list. The default is set to 28800 (or eight hours). This timeout is only necessary if FortiOS doesn’t receive RADIUS Stop records. However it's advisable to set a timeout in case the FortiGate unit misses a Stop record.

rsso-endpoint-attribute <attribute>

Note: All attributes listed below are also available under the rsso-endpoint-block-attribute and sso-attribute entries. To extract the user end point identifier from the RADIUS Start record, this entry must be set to the name of the RADIUS attribute that contains the end point identifier. The RADIUS attribute must match one of the attributes available. Attributes are case sensitive. The default is set to Calling-Station-IdCalling-Station-Id. Select from the table shown below:

User-Name Login-IP-Host Called-Station-Id Acct-Output-Octets
User-Password Login-Service Calling-Station-Id Acct-Session-Id
CHAP-Password Login-TCP-Port NAS-Identifier Acct-Authentic
NAS-IP-Address Reply-Message Proxy-State Acct-Session-Time
NAS-Port Callback-Number Login-LAT-Service Acct-Input-Packets
Service-Type Callback-Id Login-LAT-Node Acct-Output-Packets
Framed-Protocol Framed-Route Login-LAT-Group Acct-Terminate-Cause
Framed-IP-Address Framed-IPX-Network Framed-AppleTalk-Link Acct-Multi-Session-Id
Framed-IP-Netmask State Framed-AppleTalk-Network Acct-Link-Count
Framed-Routing Class Framed-AppleTalk-Zone CHAP-Challenge
Filter-Id Session-Timeout Acct-Status-Type NAS-Port-Type
Framed-MTU Idle-Timeout Acct-Delay-Time Port-Limit
Framed-Compression Termination-Action Acct-Input-Octets Login-LAT-Port

rsso-endpoint-block-attribute <attribute>

RADIUS attribute used to block a user. See the rsso-endpoint-attribute entry for a full list of the attributes available.

rsso-ep-one-ip-only {enable | disable}

Enable or disable (by default) the replacement of old IP addresses with new IP addresses for the same endpoint on RADIUS accounting Start messages.

rsso-flush-ip-session {enable | disable}

Enable (or disable by default) to flush user IP sessions on RADIUS accounting Stop messages.

rsso-log-flags {protocol-error | profile-missing | accounting-stop-missed | accounting-event | endpoint-block | radiusd-other | none}

Defines how event log messages are written. Multiple options can be set, each separated by a space.

  • protocol-error: Writes an event log message if RADIUS protocol errors occur. For example, if a RADIUS record contains a RADIUS secret that does not match the one added to the dynamic profile.
  • profile-missing: Writes an event log message whenever FortiOS cannot find a group name in a RADIUS Start message that matches the name of an RSSO user group in FortiOS.
  • accounting-stop-missed: Writes an event log message whenever a user context entry timeout expires indicating that FortiOS removed an entry from the user context list without receiving a RADIUS Stop message.
  • accounting-event: Writes an event log message when FortiOS does not find the expected information in a RADIUS Record. For example, if a RADIUS record contains more than the expected number of addresses.
  • endpoint-block: Writes an event log message whenever a user is blocked.
  • radiusd-other: Writes an event log message for other events. For example, write a log message if the memory limit for the user context list is reached and the oldest entries in the table have been dropped.
  • none: Disable logging of RADIUS SSO events.

rsso-log-period <seconds>

Time interval in seconds that FortiOS will generate group event log messages for dynamic profile events. This is to avoid generating groups of event log messages continuously. Each log message contains the number of events of that type occurred. Set the value between 1-4294967295 (or one second to 136+ years), or 0 (by default) to generate all event log messages in real time.

rsso-radius-response {enable | disable}

Enable (or disable by default) FortiOS to send RADIUS responses after receiving RADIUS Start and Stop records.

rsso-radius-server-port <port>

The connection that FortiOS listens for RADIUS Start and Stop records on this port. Set the value between 0-65535. The default is set to 1813. If necessary, change the UDP port number used by the RADIUS accounting server for sending RADIUS records.

rsso-secret <password>

RADIUS secret used by the RADIUS accounting server.

rsso-validate-request-secret {enable | disable}

Enable (or disable by default) FortiOS to verify that the RADIUS secret matches the RADIUS secret in the RADIUS Start or End record. Verifying the RADIUS secret confirms the RADIUS record as valid.

secret <key>

Note: This entry is only available when rsso is set to disable. RADIUS server shared secret key. The key should be a maximum of 16 characters in length.

server <name/ip>

Note: This entry is only available when rsso is set to disable. RADIUS server domain name or IP address (host name must comply with RFC1035).

source-ip <ip>

Note: This entry is only available when rsso is set to disable. Source IP for communications to the RADIUS server.

sso-attribute <attribute>

Name of the RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record. The default is set to Class. See the rsso-endpoint-attribute entry for a full list of the attributes available.

sso-attribute-key <key>

Key prefix for SSO group value in the SSO attribute, with a maximum length of 36 characters.

sso-attribute-value-override {enable | disable}

Enable (by default) or disable overriding old attribute with a new attribute for the same endpoint.

timeout <timeout>

Period of time in seconds between re-sending authentication requests. Set the value between 1-300. The default is set to 5. These requests occur during the remoteauthtimeout period set in the system global command.

use-management-vdom {enable | disable}

Note: This entry is only available when rsso is set to disable. Enable or disable (by default) using the management VDOM to send requests.

username-case-sensitive {enable | disable}

Enable or disable (by default) implementation of username case-sensitivity.