Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config user radius

Configure RADIUS server entries.

config user radius

Description: Configure RADIUS server entries.

edit <name>

set server {string}

set secret {password}

set secondary-server {string}

set secondary-secret {password}

set tertiary-server {string}

set tertiary-secret {password}

set timeout {integer}

set all-usergroup [disable|enable]

set use-management-vdom [enable|disable]

set nas-ip {ipv4-address}

set acct-interim-interval {integer}

set radius-coa [enable|disable]

set radius-port {integer}

set h3c-compatibility [enable|disable]

set auth-type [auto|ms_chap_v2|...]

set source-ip {string}

set username-case-sensitive [enable|disable]

set class <name1>, <name2>, ...

set password-renewal [enable|disable]

set password-encoding [auto|ISO-8859-1]

set acct-all-servers [enable|disable]

set interface-select-method [auto|sdwan|...]

set interface {string}

set rsso [enable|disable]

set rsso-radius-server-port {integer}

set rsso-radius-response [enable|disable]

set rsso-validate-request-secret [enable|disable]

set rsso-secret {password}

set rsso-endpoint-attribute [User-Name|NAS-IP-Address|...]

set rsso-endpoint-block-attribute [User-Name|NAS-IP-Address|...]

set sso-attribute [User-Name|NAS-IP-Address|...]

set sso-attribute-key {string}

set sso-attribute-value-override [enable|disable]

set rsso-context-timeout {integer}

set rsso-log-period {integer}

set rsso-log-flags {option1}, {option2}, ...

set rsso-flush-ip-session [enable|disable]

set rsso-ep-one-ip-only [enable|disable]

config accounting-server

Description: Additional accounting servers.

edit <id>

set status [enable|disable]

set server {string}

set secret {password}

set port {integer}

set source-ip {string}

set interface-select-method [auto|sdwan|...]

set interface {string}

next

end

next

end

config user radius

Parameter

Description

Type

Size

server

Primary RADIUS server CN domain name or IP address.

string

Maximum length: 63

secret

Pre-shared secret key used to access the primary RADIUS server.

password

Not Specified

secondary-server

{<name_str|ip_str>} secondary RADIUS CN domain name or IP.

string

Maximum length: 63

secondary-secret

Secret key to access the secondary server.

password

Not Specified

tertiary-server

{<name_str|ip_str>} tertiary RADIUS CN domain name or IP.

string

Maximum length: 63

tertiary-secret

Secret key to access the tertiary server.

password

Not Specified

timeout

Time in seconds between re-sending authentication requests.

integer

Minimum value: 1 Maximum value: 300

all-usergroup

Enable/disable automatically including this RADIUS server in all user groups.

option

-

 

Option

Description

disable

Do not automatically include this server in a user group.

enable

Include this RADIUS server in every user group.

use-management-vdom

Enable/disable using management VDOM to send requests.

option

-

 

Option

Description

enable

Send requests using the management VDOM.

disable

Send requests using the current VDOM.

nas-ip

IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.

ipv4-address

Not Specified

acct-interim-interval

Time in seconds between each accounting interim update message.

integer

Minimum value: 600 Maximum value: 86400

radius-coa

Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated.

option

-

 

Option

Description

enable

Enable RADIUS CoA.

disable

Disable RADIUS CoA.

radius-port

RADIUS service port number.

integer

Minimum value: 0 Maximum value: 65535

h3c-compatibility

Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication.

option

-

 

Option

Description

enable

Enable H3C compatibility.

disable

Disable H3C compatibility.

auth-type

Authentication methods/protocols permitted for this RADIUS server.

option

-

 

Option

Description

auto

Use PAP, MSCHAP_v2, and CHAP (in that order).

ms_chap_v2

Microsoft Challenge Handshake Authentication Protocol version 2.

ms_chap

Microsoft Challenge Handshake Authentication Protocol.

chap

Challenge Handshake Authentication Protocol.

pap

Password Authentication Protocol.

source-ip

Source IP address for communications to the RADIUS server.

string

Maximum length: 63

username-case-sensitive

Enable/disable case sensitive user names.

option

-

 

Option

Description

enable

Enable username case-sensitive.

disable

Disable username case-sensitive.

class <name>

Class attribute name(s).

Class name.

string

Maximum length: 79

password-renewal

Enable/disable password renewal.

option

-

 

Option

Description

enable

Enable password renewal.

disable

Disable password renewal.

password-encoding

Password encoding.

option

-

 

Option

Description

auto

Use original password encoding.

ISO-8859-1

Use ISO-8859-1 password encoding.

acct-all-servers

Enable/disable sending of accounting messages to all configured servers .

option

-

 

Option

Description

enable

Send accounting messages to all configured servers.

disable

Send accounting message only to servers that are confirmed to be reachable.

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

rsso

Enable/disable RADIUS based single sign on feature.

option

-

 

Option

Description

enable

Enable RADIUS based single sign on feature.

disable

Disable RADIUS based single sign on feature.

rsso-radius-server-port

UDP port to listen on for RADIUS Start and Stop records.

integer

Minimum value: 0 Maximum value: 65535

rsso-radius-response

Enable/disable sending RADIUS response packets after receiving Start and Stop records.

option

-

 

Option

Description

enable

Enable sending RADIUS response packets.

disable

Disable sending RADIUS response packets.

rsso-validate-request-secret

Enable/disable validating the RADIUS request shared secret in the Start or End record.

option

-

 

Option

Description

enable

Enable validating RADIUS request shared secret.

disable

Disable validating RADIUS request shared secret.

rsso-secret

RADIUS secret used by the RADIUS accounting server.

password

Not Specified

rsso-endpoint-attribute

RADIUS attributes used to extract the user end point identifer from the RADIUS Start record.

option

-

 

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

rsso-endpoint-block-attribute

RADIUS attributes used to block a user.

option

-

 

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

sso-attribute

RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record.

option

-

 

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

sso-attribute-key

Key prefix for SSO group value in the SSO attribute.

string

Maximum length: 35

sso-attribute-value-override

Enable/disable override old attribute value with new value for the same endpoint.

option

-

 

Option

Description

enable

Enable override old attribute value with new value for the same endpoint.

disable

Disable override old attribute value with new value for the same endpoint.

rsso-context-timeout

Time in seconds before the logged out user is removed from the "user context list" of logged on users.

integer

Minimum value: 0 Maximum value: 4294967295

rsso-log-period

Time interval in seconds that group event log messages will be generated for dynamic profile events.

integer

Minimum value: 0 Maximum value: 4294967295

rsso-log-flags

Events to log.

option

-

 

Option

Description

protocol-error

Enable this log type.

profile-missing

Enable this log type.

accounting-stop-missed

Enable this log type.

accounting-event

Enable this log type.

endpoint-block

Enable this log type.

radiusd-other

Enable this log type.

none

Disable all logging.

rsso-flush-ip-session

Enable/disable flushing user IP sessions on RADIUS accounting Stop messages.

option

-

 

Option

Description

enable

Enable flush user IP sessions on RADIUS accounting stop.

disable

Disable flush user IP sessions on RADIUS accounting stop.

rsso-ep-one-ip-only

Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.

option

-

 

Option

Description

enable

Enable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.

disable

Disable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.

config accounting-server

Parameter

Description

Type

Size

status

Status.

option

-

 

Option

Description

enable

Log to remote syslog server.

disable

Do not log to remote syslog server.

server

{<name_str|ip_str>} Server CN domain name or IP.

string

Maximum length: 63

secret

Secret key.

password

Not Specified

port

RADIUS accounting port number.

integer

Minimum value: 0 Maximum value: 65535

source-ip

Source IP address for communications to the RADIUS server.

string

Maximum length: 63

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

config user radius

Configure RADIUS server entries.

config user radius

Description: Configure RADIUS server entries.

edit <name>

set server {string}

set secret {password}

set secondary-server {string}

set secondary-secret {password}

set tertiary-server {string}

set tertiary-secret {password}

set timeout {integer}

set all-usergroup [disable|enable]

set use-management-vdom [enable|disable]

set nas-ip {ipv4-address}

set acct-interim-interval {integer}

set radius-coa [enable|disable]

set radius-port {integer}

set h3c-compatibility [enable|disable]

set auth-type [auto|ms_chap_v2|...]

set source-ip {string}

set username-case-sensitive [enable|disable]

set class <name1>, <name2>, ...

set password-renewal [enable|disable]

set password-encoding [auto|ISO-8859-1]

set acct-all-servers [enable|disable]

set interface-select-method [auto|sdwan|...]

set interface {string}

set rsso [enable|disable]

set rsso-radius-server-port {integer}

set rsso-radius-response [enable|disable]

set rsso-validate-request-secret [enable|disable]

set rsso-secret {password}

set rsso-endpoint-attribute [User-Name|NAS-IP-Address|...]

set rsso-endpoint-block-attribute [User-Name|NAS-IP-Address|...]

set sso-attribute [User-Name|NAS-IP-Address|...]

set sso-attribute-key {string}

set sso-attribute-value-override [enable|disable]

set rsso-context-timeout {integer}

set rsso-log-period {integer}

set rsso-log-flags {option1}, {option2}, ...

set rsso-flush-ip-session [enable|disable]

set rsso-ep-one-ip-only [enable|disable]

config accounting-server

Description: Additional accounting servers.

edit <id>

set status [enable|disable]

set server {string}

set secret {password}

set port {integer}

set source-ip {string}

set interface-select-method [auto|sdwan|...]

set interface {string}

next

end

next

end

config user radius

Parameter

Description

Type

Size

server

Primary RADIUS server CN domain name or IP address.

string

Maximum length: 63

secret

Pre-shared secret key used to access the primary RADIUS server.

password

Not Specified

secondary-server

{<name_str|ip_str>} secondary RADIUS CN domain name or IP.

string

Maximum length: 63

secondary-secret

Secret key to access the secondary server.

password

Not Specified

tertiary-server

{<name_str|ip_str>} tertiary RADIUS CN domain name or IP.

string

Maximum length: 63

tertiary-secret

Secret key to access the tertiary server.

password

Not Specified

timeout

Time in seconds between re-sending authentication requests.

integer

Minimum value: 1 Maximum value: 300

all-usergroup

Enable/disable automatically including this RADIUS server in all user groups.

option

-

 

Option

Description

disable

Do not automatically include this server in a user group.

enable

Include this RADIUS server in every user group.

use-management-vdom

Enable/disable using management VDOM to send requests.

option

-

 

Option

Description

enable

Send requests using the management VDOM.

disable

Send requests using the current VDOM.

nas-ip

IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.

ipv4-address

Not Specified

acct-interim-interval

Time in seconds between each accounting interim update message.

integer

Minimum value: 600 Maximum value: 86400

radius-coa

Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated.

option

-

 

Option

Description

enable

Enable RADIUS CoA.

disable

Disable RADIUS CoA.

radius-port

RADIUS service port number.

integer

Minimum value: 0 Maximum value: 65535

h3c-compatibility

Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication.

option

-

 

Option

Description

enable

Enable H3C compatibility.

disable

Disable H3C compatibility.

auth-type

Authentication methods/protocols permitted for this RADIUS server.

option

-

 

Option

Description

auto

Use PAP, MSCHAP_v2, and CHAP (in that order).

ms_chap_v2

Microsoft Challenge Handshake Authentication Protocol version 2.

ms_chap

Microsoft Challenge Handshake Authentication Protocol.

chap

Challenge Handshake Authentication Protocol.

pap

Password Authentication Protocol.

source-ip

Source IP address for communications to the RADIUS server.

string

Maximum length: 63

username-case-sensitive

Enable/disable case sensitive user names.

option

-

 

Option

Description

enable

Enable username case-sensitive.

disable

Disable username case-sensitive.

class <name>

Class attribute name(s).

Class name.

string

Maximum length: 79

password-renewal

Enable/disable password renewal.

option

-

 

Option

Description

enable

Enable password renewal.

disable

Disable password renewal.

password-encoding

Password encoding.

option

-

 

Option

Description

auto

Use original password encoding.

ISO-8859-1

Use ISO-8859-1 password encoding.

acct-all-servers

Enable/disable sending of accounting messages to all configured servers .

option

-

 

Option

Description

enable

Send accounting messages to all configured servers.

disable

Send accounting message only to servers that are confirmed to be reachable.

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

rsso

Enable/disable RADIUS based single sign on feature.

option

-

 

Option

Description

enable

Enable RADIUS based single sign on feature.

disable

Disable RADIUS based single sign on feature.

rsso-radius-server-port

UDP port to listen on for RADIUS Start and Stop records.

integer

Minimum value: 0 Maximum value: 65535

rsso-radius-response

Enable/disable sending RADIUS response packets after receiving Start and Stop records.

option

-

 

Option

Description

enable

Enable sending RADIUS response packets.

disable

Disable sending RADIUS response packets.

rsso-validate-request-secret

Enable/disable validating the RADIUS request shared secret in the Start or End record.

option

-

 

Option

Description

enable

Enable validating RADIUS request shared secret.

disable

Disable validating RADIUS request shared secret.

rsso-secret

RADIUS secret used by the RADIUS accounting server.

password

Not Specified

rsso-endpoint-attribute

RADIUS attributes used to extract the user end point identifer from the RADIUS Start record.

option

-

 

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

rsso-endpoint-block-attribute

RADIUS attributes used to block a user.

option

-

 

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

sso-attribute

RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record.

option

-

 

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribut