Fortinet white logo
Fortinet white logo

CLI Reference

user radius

Configure RADIUS server entries.

  config user radius
      Description: Configure RADIUS server entries.
      edit <name>
          set server {string}
          set secret {password}
          set secondary-server {string}
          set secondary-secret {password}
          set tertiary-server {string}
          set tertiary-secret {password}
          set timeout {integer}
          set all-usergroup [disable|enable]
          set use-management-vdom [enable|disable]
          set nas-ip {ipv4-address}
          set acct-interim-interval {integer}
          set radius-coa [enable|disable]
          set radius-port {integer}
          set h3c-compatibility [enable|disable]
          set auth-type [auto|ms_chap_v2|...]
          set source-ip {string}
          set username-case-sensitive [enable|disable]
          set group-override-attr-type [filter-Id|class]
          set class <name1>, <name2>, ...
          set password-renewal [enable|disable]
          set password-encoding [auto|ISO-8859-1]
          set acct-all-servers [enable|disable]
          set switch-controller-acct-fast-framedip-detect {integer}
          set interface-select-method [auto|sdwan|...]
          set interface {string}
          set switch-controller-service-type {option1}, {option2}, ...
          set rsso [enable|disable]
          set rsso-radius-server-port {integer}
          set rsso-radius-response [enable|disable]
          set rsso-validate-request-secret [enable|disable]
          set rsso-secret {password}
          set rsso-endpoint-attribute [User-Name|NAS-IP-Address|...]
          set rsso-endpoint-block-attribute [User-Name|NAS-IP-Address|...]
          set sso-attribute [User-Name|NAS-IP-Address|...]
          set sso-attribute-key {string}
          set sso-attribute-value-override [enable|disable]
          set rsso-context-timeout {integer}
          set rsso-log-period {integer}
          set rsso-log-flags {option1}, {option2}, ...
          set rsso-flush-ip-session [enable|disable]
          set rsso-ep-one-ip-only [enable|disable]
          config accounting-server
              Description: Additional accounting servers.
              edit <id>
                  set status [enable|disable]
                  set server {string}
                  set secret {password}
                  set port {integer}
                  set source-ip {string}
                  set interface-select-method [auto|sdwan|...]
                  set interface {string}
              next
          end
      next
  end

config user radius

Parameter Name Description Type Size
server Primary RADIUS server CN domain name or IP address. string Maximum length: 63
secret Pre-shared secret key used to access the primary RADIUS server. password Not Specified
secondary-server {<name_str ip_str>} secondary RADIUS CN domain name or IP. string Maximum length: 63
secondary-secret Secret key to access the secondary server. password Not Specified
tertiary-server {<name_str ip_str>} tertiary RADIUS CN domain name or IP. string Maximum length: 63
tertiary-secret Secret key to access the tertiary server. password Not Specified
timeout Time in seconds between re-sending authentication requests. integer Minimum value: 1 Maximum value: 300
all-usergroup Enable/disable automatically including this RADIUS server in all user groups.
disable: Do not automatically include this server in a user group.
enable: Include this RADIUS server in every user group.
option -
use-management-vdom Enable/disable using management VDOM to send requests.
enable: Send requests using the management VDOM.
disable: Send requests using the current VDOM.
option -
nas-ip IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes. ipv4-address Not Specified
acct-interim-interval Time in seconds between each accounting interim update message. integer Minimum value: 60 Maximum value: 86400
radius-coa Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated.
enable: Enable RADIUS CoA.
disable: Disable RADIUS CoA.
option -
radius-port RADIUS service port number. integer Minimum value: 0 Maximum value: 65535
h3c-compatibility Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication.
enable: Enable H3C compatibility.
disable: Disable H3C compatibility.
option -
auth-type Authentication methods/protocols permitted for this RADIUS server.
auto: Use PAP, MSCHAP_v2, and CHAP (in that order).
ms_chap_v2: Microsoft Challenge Handshake Authentication Protocol version 2.
ms_chap: Microsoft Challenge Handshake Authentication Protocol.
chap: Challenge Handshake Authentication Protocol.
pap: Password Authentication Protocol.
option -
source-ip Source IP address for communications to the RADIUS server. string Maximum length: 63
username-case-sensitive Enable/disable case sensitive user names.
enable: Enable username case-sensitive.
disable: Disable username case-sensitive.
option -
group-override-attr-type RADIUS attribute type to override user group information.
filter-Id: Filter-Id
class: Class
option -
class <name> Class attribute name(s).
Class name.
string Maximum length: 79
password-renewal Enable/disable password renewal.
enable: Enable password renewal.
disable: Disable password renewal.
option -
password-encoding Password encoding.
auto: Use original password encoding.
ISO-8859-1: Use ISO-8859-1 password encoding.
option -
acct-all-servers Enable/disable sending of accounting messages to all configured servers (default = disable).
enable: Send accounting messages to all configured servers.
disable: Send accounting message only to servers that are confirmed to be reachable.
option -
switch-controller-acct-fast-framedip-detect Switch controller accounting message Framed-IP detection from DHCP snooping (seconds, default=2). integer Minimum value: 2 Maximum value: 600
interface-select-method Specify how to select outgoing interface to reach server.
auto: Set outgoing interface automatically.
sdwan: Set outgoing interface by SD-WAN or policy routing rules.
specify: Set outgoing interface manually.
option -
interface Specify outgoing interface to reach server. string Maximum length: 15
switch-controller-service-type RADIUS service type.
login: User should be connected to a host.
framed: User use Framed Protocol.
callback-login: User disconnected and called back.
callback-framed: User disconnected and called back, then a Framed Protocol.
outbound: User granted access to outgoing devices.
administrative: User granted access to the administrative unsigned interface.
nas-prompt: User provided a command prompt on the NAS.
authenticate-only: Authentication requested, and no auth info needs to be returned.
callback-nas-prompt: User disconnected and called back, then provided a command prompt.
call-check: Used by the NAS in an Access-Request packet, Access-Accept to answer the call.
callback-administrative: User disconnected and called back, granted access to the admin unsigned interface.
option -
rsso Enable/disable RADIUS based single sign on feature.
enable: Enable RADIUS based single sign on feature.
disable: Disable RADIUS based single sign on feature.
option -
rsso-radius-server-port UDP port to listen on for RADIUS Start and Stop records. integer Minimum value: 0 Maximum value: 65535
rsso-radius-response Enable/disable sending RADIUS response packets after receiving Start and Stop records.
enable: Enable sending RADIUS response packets.
disable: Disable sending RADIUS response packets.
option -
rsso-validate-request-secret Enable/disable validating the RADIUS request shared secret in the Start or End record.
enable: Enable validating RADIUS request shared secret.
disable: Disable validating RADIUS request shared secret.
option -
rsso-secret RADIUS secret used by the RADIUS accounting server. password Not Specified
rsso-endpoint-attribute RADIUS attributes used to extract the user end point identifer from the RADIUS Start record.
User-Name: Use this attribute.
NAS-IP-Address: Use this attribute.
Framed-IP-Address: Use this attribute.
Framed-IP-Netmask: Use this attribute.
Filter-Id: Use this attribute.
Login-IP-Host: Use this attribute.
Reply-Message: Use this attribute.
Callback-Number: Use this attribute.
Callback-Id: Use this attribute.
Framed-Route: Use this attribute.
Framed-IPX-Network: Use this attribute.
Class: Use this attribute.
Called-Station-Id: Use this attribute.
Calling-Station-Id: Use this attribute.
NAS-Identifier: Use this attribute.
Proxy-State: Use this attribute.
Login-LAT-Service: Use this attribute.
Login-LAT-Node: Use this attribute.
Login-LAT-Group: Use this attribute.
Framed-AppleTalk-Zone: Use this attribute.
Acct-Session-Id: Use this attribute.
Acct-Multi-Session-Id: Use this attribute.
option -
rsso-endpoint-block-attribute RADIUS attributes used to block a user.
User-Name: Use this attribute.
NAS-IP-Address: Use this attribute.
Framed-IP-Address: Use this attribute.
Framed-IP-Netmask: Use this attribute.
Filter-Id: Use this attribute.
Login-IP-Host: Use this attribute.
Reply-Message: Use this attribute.
Callback-Number: Use this attribute.
Callback-Id: Use this attribute.
Framed-Route: Use this attribute.
Framed-IPX-Network: Use this attribute.
Class: Use this attribute.
Called-Station-Id: Use this attribute.
Calling-Station-Id: Use this attribute.
NAS-Identifier: Use this attribute.
Proxy-State: Use this attribute.
Login-LAT-Service: Use this attribute.
Login-LAT-Node: Use this attribute.
Login-LAT-Group: Use this attribute.
Framed-AppleTalk-Zone: Use this attribute.
Acct-Session-Id: Use this attribute.
Acct-Multi-Session-Id: Use this attribute.
option -
sso-attribute RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record.
User-Name: Use this attribute.
NAS-IP-Address: Use this attribute.
Framed-IP-Address: Use this attribute.
Framed-IP-Netmask: Use this attribute.
Filter-Id: Use this attribute.
Login-IP-Host: Use this attribute.
Reply-Message: Use this attribute.
Callback-Number: Use this attribute.
Callback-Id: Use this attribute.
Framed-Route: Use this attribute.
Framed-IPX-Network: Use this attribute.
Class: Use this attribute.
Called-Station-Id: Use this attribute.
Calling-Station-Id: Use this attribute.
NAS-Identifier: Use this attribute.
Proxy-State: Use this attribute.
Login-LAT-Service: Use this attribute.
Login-LAT-Node: Use this attribute.
Login-LAT-Group: Use this attribute.
Framed-AppleTalk-Zone: Use this attribute.
Acct-Session-Id: Use this attribute.
Acct-Multi-Session-Id: Use this attribute.
option -
sso-attribute-key Key prefix for SSO group value in the SSO attribute. string Maximum length: 35
sso-attribute-value-override Enable/disable override old attribute value with new value for the same endpoint.
enable: Enable override old attribute value with new value for the same endpoint.
disable: Disable override old attribute value with new value for the same endpoint.
option -
rsso-context-timeout Time in seconds before the logged out user is removed from the "user context list" of logged on users. integer Minimum value: 0 Maximum value: 4294967295
rsso-log-period Time interval in seconds that group event log messages will be generated for dynamic profile events. integer Minimum value: 0 Maximum value: 4294967295
rsso-log-flags Events to log.
protocol-error: Enable this log type.
profile-missing: Enable this log type.
accounting-stop-missed: Enable this log type.
accounting-event: Enable this log type.
endpoint-block: Enable this log type.
radiusd-other: Enable this log type.
none: Disable all logging.
option -
rsso-flush-ip-session Enable/disable flushing user IP sessions on RADIUS accounting Stop messages.
enable: Enable flush user IP sessions on RADIUS accounting stop.
disable: Disable flush user IP sessions on RADIUS accounting stop.
option -
rsso-ep-one-ip-only Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.
enable: Enable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.
disable: Disable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.
option -

config accounting-server

Parameter Name Description Type Size
status Status.
enable: Log to remote syslog server.
disable: Do not log to remote syslog server.
option -
server {<name_str ip_str>} Server CN domain name or IP. string Maximum length: 63
secret Secret key. password Not Specified
port RADIUS accounting port number. integer Minimum value: 0 Maximum value: 65535
source-ip Source IP address for communications to the RADIUS server. string Maximum length: 63
interface-select-method Specify how to select outgoing interface to reach server.
auto: Set outgoing interface automatically.
sdwan: Set outgoing interface by SD-WAN or policy routing rules.
specify: Set outgoing interface manually.
option -
interface Specify outgoing interface to reach server. string Maximum length: 15

user radius

Configure RADIUS server entries.

  config user radius
      Description: Configure RADIUS server entries.
      edit <name>
          set server {string}
          set secret {password}
          set secondary-server {string}
          set secondary-secret {password}
          set tertiary-server {string}
          set tertiary-secret {password}
          set timeout {integer}
          set all-usergroup [disable|enable]
          set use-management-vdom [enable|disable]
          set nas-ip {ipv4-address}
          set acct-interim-interval {integer}
          set radius-coa [enable|disable]
          set radius-port {integer}
          set h3c-compatibility [enable|disable]
          set auth-type [auto|ms_chap_v2|...]
          set source-ip {string}
          set username-case-sensitive [enable|disable]
          set group-override-attr-type [filter-Id|class]
          set class <name1>, <name2>, ...
          set password-renewal [enable|disable]
          set password-encoding [auto|ISO-8859-1]
          set acct-all-servers [enable|disable]
          set switch-controller-acct-fast-framedip-detect {integer}
          set interface-select-method [auto|sdwan|...]
          set interface {string}
          set switch-controller-service-type {option1}, {option2}, ...
          set rsso [enable|disable]
          set rsso-radius-server-port {integer}
          set rsso-radius-response [enable|disable]
          set rsso-validate-request-secret [enable|disable]
          set rsso-secret {password}
          set rsso-endpoint-attribute [User-Name|NAS-IP-Address|...]
          set rsso-endpoint-block-attribute [User-Name|NAS-IP-Address|...]
          set sso-attribute [User-Name|NAS-IP-Address|...]
          set sso-attribute-key {string}
          set sso-attribute-value-override [enable|disable]
          set rsso-context-timeout {integer}
          set rsso-log-period {integer}
          set rsso-log-flags {option1}, {option2}, ...
          set rsso-flush-ip-session [enable|disable]
          set rsso-ep-one-ip-only [enable|disable]
          config accounting-server
              Description: Additional accounting servers.
              edit <id>
                  set status [enable|disable]
                  set server {string}
                  set secret {password}
                  set port {integer}
                  set source-ip {string}
                  set interface-select-method [auto|sdwan|...]
                  set interface {string}
              next
          end
      next
  end

config user radius

Parameter Name Description Type Size
server Primary RADIUS server CN domain name or IP address. string Maximum length: 63
secret Pre-shared secret key used to access the primary RADIUS server. password Not Specified
secondary-server {<name_str ip_str>} secondary RADIUS CN domain name or IP. string Maximum length: 63
secondary-secret Secret key to access the secondary server. password Not Specified
tertiary-server {<name_str ip_str>} tertiary RADIUS CN domain name or IP. string Maximum length: 63
tertiary-secret Secret key to access the tertiary server. password Not Specified
timeout Time in seconds between re-sending authentication requests. integer Minimum value: 1 Maximum value: 300
all-usergroup Enable/disable automatically including this RADIUS server in all user groups.
disable: Do not automatically include this server in a user group.
enable: Include this RADIUS server in every user group.
option -
use-management-vdom Enable/disable using management VDOM to send requests.
enable: Send requests using the management VDOM.
disable: Send requests using the current VDOM.
option -
nas-ip IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes. ipv4-address Not Specified
acct-interim-interval Time in seconds between each accounting interim update message. integer Minimum value: 60 Maximum value: 86400
radius-coa Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated.
enable: Enable RADIUS CoA.
disable: Disable RADIUS CoA.
option -
radius-port RADIUS service port number. integer Minimum value: 0 Maximum value: 65535
h3c-compatibility Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication.
enable: Enable H3C compatibility.
disable: Disable H3C compatibility.
option -
auth-type Authentication methods/protocols permitted for this RADIUS server.
auto: Use PAP, MSCHAP_v2, and CHAP (in that order).
ms_chap_v2: Microsoft Challenge Handshake Authentication Protocol version 2.
ms_chap: Microsoft Challenge Handshake Authentication Protocol.
chap: Challenge Handshake Authentication Protocol.
pap: Password Authentication Protocol.
option -
source-ip Source IP address for communications to the RADIUS server. string Maximum length: 63
username-case-sensitive Enable/disable case sensitive user names.
enable: Enable username case-sensitive.
disable: Disable username case-sensitive.
option -
group-override-attr-type RADIUS attribute type to override user group information.
filter-Id: Filter-Id
class: Class
option -
class <name> Class attribute name(s).
Class name.
string Maximum length: 79
password-renewal Enable/disable password renewal.
enable: Enable password renewal.
disable: Disable password renewal.
option -
password-encoding Password encoding.
auto: Use original password encoding.
ISO-8859-1: Use ISO-8859-1 password encoding.
option -
acct-all-servers Enable/disable sending of accounting messages to all configured servers (default = disable).
enable: Send accounting messages to all configured servers.
disable: Send accounting message only to servers that are confirmed to be reachable.
option -
switch-controller-acct-fast-framedip-detect Switch controller accounting message Framed-IP detection from DHCP snooping (seconds, default=2). integer Minimum value: 2 Maximum value: 600
interface-select-method Specify how to select outgoing interface to reach server.
auto: Set outgoing interface automatically.
sdwan: Set outgoing interface by SD-WAN or policy routing rules.
specify: Set outgoing interface manually.
option -
interface Specify outgoing interface to reach server. string Maximum length: 15
switch-controller-service-type RADIUS service type.
login: User should be connected to a host.
framed: User use Framed Protocol.
callback-login: User disconnected and called back.
callback-framed: User disconnected and called back, then a Framed Protocol.
outbound: User granted access to outgoing devices.
administrative: User granted access to the administrative unsigned interface.
nas-prompt: User provided a command prompt on the NAS.
authenticate-only: Authentication requested, and no auth info needs to be returned.
callback-nas-prompt: User disconnected and called back, then provided a command prompt.
call-check: Used by the NAS in an Access-Request packet, Access-Accept to answer the call.
callback-administrative: User disconnected and called back, granted access to the admin unsigned interface.
option -
rsso Enable/disable RADIUS based single sign on feature.
enable: Enable RADIUS based single sign on feature.
disable: Disable RADIUS based single sign on feature.
option -
rsso-radius-server-port UDP port to listen on for RADIUS Start and Stop records. integer Minimum value: 0 Maximum value: 65535
rsso-radius-response Enable/disable sending RADIUS response packets after receiving Start and Stop records.
enable: Enable sending RADIUS response packets.
disable: Disable sending RADIUS response packets.
option -
rsso-validate-request-secret Enable/disable validating the RADIUS request shared secret in the Start or End record.
enable: Enable validating RADIUS request shared secret.
disable: Disable validating RADIUS request shared secret.
option -
rsso-secret RADIUS secret used by the RADIUS accounting server. password Not Specified
rsso-endpoint-attribute RADIUS attributes used to extract the user end point identifer from the RADIUS Start record.
User-Name: Use this attribute.
NAS-IP-Address: Use this attribute.
Framed-IP-Address: Use this attribute.
Framed-IP-Netmask: Use this attribute.
Filter-Id: Use this attribute.
Login-IP-Host: Use this attribute.
Reply-Message: Use this attribute.
Callback-Number: Use this attribute.
Callback-Id: Use this attribute.
Framed-Route: Use this attribute.
Framed-IPX-Network: Use this attribute.
Class: Use this attribute.
Called-Station-Id: Use this attribute.
Calling-Station-Id: Use this attribute.
NAS-Identifier: Use this attribute.
Proxy-State: Use this attribute.
Login-LAT-Service: Use this attribute.
Login-LAT-Node: Use this attribute.
Login-LAT-Group: Use this attribute.
Framed-AppleTalk-Zone: Use this attribute.
Acct-Session-Id: Use this attribute.
Acct-Multi-Session-Id: Use this attribute.
option -
rsso-endpoint-block-attribute RADIUS attributes used to block a user.
User-Name: Use this attribute.
NAS-IP-Address: Use this attribute.
Framed-IP-Address: Use this attribute.
Framed-IP-Netmask: Use this attribute.
Filter-Id: Use this attribute.
Login-IP-Host: Use this attribute.
Reply-Message: Use this attribute.
Callback-Number: Use this attribute.
Callback-Id: Use this attribute.
Framed-Route: Use this attribute.
Framed-IPX-Network: Use this attribute.
Class: Use this attribute.
Called-Station-Id: Use this attribute.
Calling-Station-Id: Use this attribute.
NAS-Identifier: Use this attribute.
Proxy-State: Use this attribute.
Login-LAT-Service: Use this attribute.
Login-LAT-Node: Use this attribute.
Login-LAT-Group: Use this attribute.
Framed-AppleTalk-Zone: Use this attribute.
Acct-Session-Id: Use this attribute.
Acct-Multi-Session-Id: Use this attribute.
option -
sso-attribute RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record.
User-Name: Use this attribute.
NAS-IP-Address: Use this attribute.
Framed-IP-Address: Use this attribute.
Framed-IP-Netmask: Use this attribute.
Filter-Id: Use this attribute.
Login-IP-Host: Use this attribute.
Reply-Message: Use this attribute.
Callback-Number: Use this attribute.
Callback-Id: Use this attribute.
Framed-Route: Use this attribute.
Framed-IPX-Network: Use this attribute.
Class: Use this attribute.
Called-Station-Id: Use this attribute.
Calling-Station-Id: Use this attribute.
NAS-Identifier: Use this attribute.
Proxy-State: Use this attribute.
Login-LAT-Service: Use this attribute.
Login-LAT-Node: Use this attribute.
Login-LAT-Group: Use this attribute.
Framed-AppleTalk-Zone: Use this attribute.
Acct-Session-Id: Use this attribute.
Acct-Multi-Session-Id: Use this attribute.
option -
sso-attribute-key Key prefix for SSO group value in the SSO attribute. string Maximum length: 35
sso-attribute-value-override Enable/disable override old attribute value with new value for the same endpoint.
enable: Enable override old attribute value with new value for the same endpoint.
disable: Disable override old attribute value with new value for the same endpoint.
option -
rsso-context-timeout Time in seconds before the logged out user is removed from the "user context list" of logged on users. integer Minimum value: 0 Maximum value: 4294967295
rsso-log-period Time interval in seconds that group event log messages will be generated for dynamic profile events. integer Minimum value: 0 Maximum value: 4294967295
rsso-log-flags Events to log.
protocol-error: Enable this log type.
profile-missing: Enable this log type.
accounting-stop-missed: Enable this log type.
accounting-event: Enable this log type.
endpoint-block: Enable this log type.
radiusd-other: Enable this log type.
none: Disable all logging.
option -
rsso-flush-ip-session Enable/disable flushing user IP sessions on RADIUS accounting Stop messages.
enable: Enable flush user IP sessions on RADIUS accounting stop.
disable: Disable flush user IP sessions on RADIUS accounting stop.
option -
rsso-ep-one-ip-only Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.
enable: Enable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.
disable: Disable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.
option -

config accounting-server

Parameter Name Description Type Size
status Status.
enable: Log to remote syslog server.
disable: Do not log to remote syslog server.
option -
server {<name_str ip_str>} Server CN domain name or IP. string Maximum length: 63
secret Secret key. password Not Specified
port RADIUS accounting port number. integer Minimum value: 0 Maximum value: 65535
source-ip Source IP address for communications to the RADIUS server. string Maximum length: 63
interface-select-method Specify how to select outgoing interface to reach server.
auto: Set outgoing interface automatically.
sdwan: Set outgoing interface by SD-WAN or policy routing rules.
specify: Set outgoing interface manually.
option -
interface Specify outgoing interface to reach server. string Maximum length: 15