Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config user radius

Configure RADIUS server entries.

config user radius

Description: Configure RADIUS server entries.

edit <name>

set server {string}

set secret {password}

set secondary-server {string}

set secondary-secret {password}

set tertiary-server {string}

set tertiary-secret {password}

set timeout {integer}

set all-usergroup [disable|enable]

set use-management-vdom [enable|disable]

set nas-ip {ipv4-address}

set acct-interim-interval {integer}

set radius-coa [enable|disable]

set radius-port {integer}

set h3c-compatibility [enable|disable]

set auth-type [auto|ms_chap_v2|...]

set source-ip {string}

set username-case-sensitive [enable|disable]

set group-override-attr-type [filter-Id|class]

set class <name1>, <name2>, ...

set password-renewal [enable|disable]

set password-encoding [auto|ISO-8859-1]

set acct-all-servers [enable|disable]

set switch-controller-acct-fast-framedip-detect {integer}

set interface-select-method [auto|sdwan|...]

set interface {string}

set switch-controller-service-type {option1}, {option2}, ...

set rsso [enable|disable]

set rsso-radius-server-port {integer}

set rsso-radius-response [enable|disable]

set rsso-validate-request-secret [enable|disable]

set rsso-secret {password}

set rsso-endpoint-attribute [User-Name|NAS-IP-Address|...]

set rsso-endpoint-block-attribute [User-Name|NAS-IP-Address|...]

set sso-attribute [User-Name|NAS-IP-Address|...]

set sso-attribute-key {string}

set sso-attribute-value-override [enable|disable]

set rsso-context-timeout {integer}

set rsso-log-period {integer}

set rsso-log-flags {option1}, {option2}, ...

set rsso-flush-ip-session [enable|disable]

set rsso-ep-one-ip-only [enable|disable]

config accounting-server

Description: Additional accounting servers.

edit <id>

set status [enable|disable]

set server {string}

set secret {password}

set port {integer}

set source-ip {string}

set interface-select-method [auto|sdwan|...]

set interface {string}

next

end

next

end

config user radius

Parameter

Description

Type

Size

Default

server

Primary RADIUS server CN domain name or IP address.

string

Maximum length: 63

secret

Pre-shared secret key used to access the primary RADIUS server.

password

Not Specified

secondary-server

{<name_str|ip_str>} secondary RADIUS CN domain name or IP.

string

Maximum length: 63

secondary-secret

Secret key to access the secondary server.

password

Not Specified

tertiary-server

{<name_str|ip_str>} tertiary RADIUS CN domain name or IP.

string

Maximum length: 63

tertiary-secret

Secret key to access the tertiary server.

password

Not Specified

timeout

Time in seconds between re-sending authentication requests.

integer

Minimum value: 1 Maximum value: 300

5

all-usergroup

Enable/disable automatically including this RADIUS server in all user groups.

option

-

disable

 

Option

Description

disable

Do not automatically include this server in a user group.

enable

Include this RADIUS server in every user group.

use-management-vdom

Enable/disable using management VDOM to send requests.

option

-

disable

 

Option

Description

enable

Send requests using the management VDOM.

disable

Send requests using the current VDOM.

nas-ip

IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.

ipv4-address

Not Specified

0.0.0.0

acct-interim-interval

Time in seconds between each accounting interim update message.

integer

Minimum value: 60 Maximum value: 86400

0

radius-coa

Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated.

option

-

disable

 

Option

Description

enable

Enable RADIUS CoA.

disable

Disable RADIUS CoA.

radius-port

RADIUS service port number.

integer

Minimum value: 0 Maximum value: 65535

0

h3c-compatibility

Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication.

option

-

disable

 

Option

Description

enable

Enable H3C compatibility.

disable

Disable H3C compatibility.

auth-type

Authentication methods/protocols permitted for this RADIUS server.

option

-

auto

 

Option

Description

auto

Use PAP, MSCHAP_v2, and CHAP (in that order).

ms_chap_v2

Microsoft Challenge Handshake Authentication Protocol version 2.

ms_chap

Microsoft Challenge Handshake Authentication Protocol.

chap

Challenge Handshake Authentication Protocol.

pap

Password Authentication Protocol.

source-ip

Source IP address for communications to the RADIUS server.

string

Maximum length: 63

username-case-sensitive

Enable/disable case sensitive user names.

option

-

disable

 

Option

Description

enable

Enable username case-sensitive.

disable

Disable username case-sensitive.

group-override-attr-type

RADIUS attribute type to override user group information.

option

-

 

Option

Description

filter-Id

Filter-Id

class

Class

class <name>

Class attribute name(s).

Class name.

string

Maximum length: 79

password-renewal

Enable/disable password renewal.

option

-

enable

 

Option

Description

enable

Enable password renewal.

disable

Disable password renewal.

password-encoding

Password encoding.

option

-

auto

 

Option

Description

auto

Use original password encoding.

ISO-8859-1

Use ISO-8859-1 password encoding.

acct-all-servers

Enable/disable sending of accounting messages to all configured servers .

option

-

disable

 

Option

Description

enable

Send accounting messages to all configured servers.

disable

Send accounting message only to servers that are confirmed to be reachable.

switch-controller-acct-fast-framedip-detect

Switch controller accounting message Framed-IP detection from DHCP snooping .

integer

Minimum value: 2 Maximum value: 600

2

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

switch-controller-service-type

RADIUS service type.

option

-

 

Option

Description

login

User should be connected to a host.

framed

User use Framed Protocol.

callback-login

User disconnected and called back.

callback-framed

User disconnected and called back, then a Framed Protocol.

outbound

User granted access to outgoing devices.

administrative

User granted access to the administrative unsigned interface.

nas-prompt

User provided a command prompt on the NAS.

authenticate-only

Authentication requested, and no auth info needs to be returned.

callback-nas-prompt

User disconnected and called back, then provided a command prompt.

call-check

Used by the NAS in an Access-Request packet, Access-Accept to answer the call.

callback-administrative

User disconnected and called back, granted access to the admin unsigned interface.

rsso

Enable/disable RADIUS based single sign on feature.

option

-

disable

 

Option

Description

enable

Enable RADIUS based single sign on feature.

disable

Disable RADIUS based single sign on feature.

rsso-radius-server-port

UDP port to listen on for RADIUS Start and Stop records.

integer

Minimum value: 0 Maximum value: 65535

1813

rsso-radius-response

Enable/disable sending RADIUS response packets after receiving Start and Stop records.

option

-

disable

 

Option

Description

enable

Enable sending RADIUS response packets.

disable

Disable sending RADIUS response packets.

rsso-validate-request-secret

Enable/disable validating the RADIUS request shared secret in the Start or End record.

option

-

disable

 

Option

Description

enable

Enable validating RADIUS request shared secret.

disable

Disable validating RADIUS request shared secret.

rsso-secret

RADIUS secret used by the RADIUS accounting server.

password

Not Specified

rsso-endpoint-attribute

RADIUS attributes used to extract the user end point identifer from the RADIUS Start record.

option

-

Calling-Station-Id

 

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

rsso-endpoint-block-attribute

RADIUS attributes used to block a user.

option

-

 

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

sso-attribute

RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record.

option

-

Class

 

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

sso-attribute-key

Key prefix for SSO group value in the SSO attribute.

string

Maximum length: 35

sso-attribute-value-override

Enable/disable override old attribute value with new value for the same endpoint.

option

-

enable

 

Option

Description

enable

Enable override old attribute value with new value for the same endpoint.

disable

Disable override old attribute value with new value for the same endpoint.

rsso-context-timeout

Time in seconds before the logged out user is removed from the "user context list" of logged on users.

integer

Minimum value: 0 Maximum value: 4294967295

28800

rsso-log-period

Time interval in seconds that group event log messages will be generated for dynamic profile events.

integer

Minimum value: 0 Maximum value: 4294967295

0

rsso-log-flags

Events to log.

option

-

protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other

 

Option

Description

protocol-error

Enable this log type.

profile-missing

Enable this log type.

accounting-stop-missed

Enable this log type.

accounting-event

Enable this log type.

endpoint-block

Enable this log type.

radiusd-other

Enable this log type.

none

Disable all logging.

rsso-flush-ip-session

Enable/disable flushing user IP sessions on RADIUS accounting Stop messages.

option

-

disable

 

Option

Description

enable

Enable flush user IP sessions on RADIUS accounting stop.

disable

Disable flush user IP sessions on RADIUS accounting stop.

rsso-ep-one-ip-only

Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.

option

-

disable

 

Option

Description

enable

Enable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.

disable

Disable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.

config accounting-server

Parameter

Description

Type

Size

Default

status

Status.

option

-

disable

 

Option

Description

enable

Log to remote syslog server.

disable

Do not log to remote syslog server.

server

{<name_str|ip_str>} Server CN domain name or IP.

string

Maximum length: 63

secret

Secret key.

password

Not Specified

port

RADIUS accounting port number.

integer

Minimum value: 0 Maximum value: 65535

0

source-ip

Source IP address for communications to the RADIUS server.

string

Maximum length: 63

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

config user radius

Configure RADIUS server entries.

config user radius

Description: Configure RADIUS server entries.

edit <name>

set server {string}

set secret {password}

set secondary-server {string}

set secondary-secret {password}

set tertiary-server {string}

set tertiary-secret {password}

set timeout {integer}

set all-usergroup [disable|enable]

set use-management-vdom [enable|disable]

set nas-ip {ipv4-address}

set acct-interim-interval {integer}

set radius-coa [enable|disable]

set radius-port {integer}

set h3c-compatibility [enable|disable]

set auth-type [auto|ms_chap_v2|...]

set source-ip {string}

set username-case-sensitive [enable|disable]

set group-override-attr-type [filter-Id|class]

set class <name1>, <name2>, ...

set password-renewal [enable|disable]

set password-encoding [auto|ISO-8859-1]

set acct-all-servers [enable|disable]

set switch-controller-acct-fast-framedip-detect {integer}

set interface-select-method [auto|sdwan|...]

set interface {string}

set switch-controller-service-type {option1}, {option2}, ...

set rsso [enable|disable]

set rsso-radius-server-port {integer}

set rsso-radius-response [enable|disable]

set rsso-validate-request-secret [enable|disable]

set rsso-secret {password}

set rsso-endpoint-attribute [User-Name|NAS-IP-Address|...]

set rsso-endpoint-block-attribute [User-Name|NAS-IP-Address|...]

set sso-attribute [User-Name|NAS-IP-Address|...]

set sso-attribute-key {string}

set sso-attribute-value-override [enable|disable]

set rsso-context-timeout {integer}

set rsso-log-period {integer}

set rsso-log-flags {option1}, {option2}, ...

set rsso-flush-ip-session [enable|disable]

set rsso-ep-one-ip-only [enable|disable]

config accounting-server

Description: Additional accounting servers.

edit <id>

set status [enable|disable]

set server {string}

set secret {password}

set port {integer}

set source-ip {string}

set interface-select-method [auto|sdwan|...]

set interface {string}

next

end

next

end

config user radius

Parameter

Description

Type

Size

Default

server

Primary RADIUS server CN domain name or IP address.

string

Maximum length: 63

secret

Pre-shared secret key used to access the primary RADIUS server.

password

Not Specified

secondary-server

{<name_str|ip_str>} secondary RADIUS CN domain name or IP.

string

Maximum length: 63

secondary-secret

Secret key to access the secondary server.

password

Not Specified

tertiary-server

{<name_str|ip_str>} tertiary RADIUS CN domain name or IP.

string

Maximum length: 63

tertiary-secret

Secret key to access the tertiary server.

password

Not Specified

timeout

Time in seconds between re-sending authentication requests.

integer

Minimum value: 1 Maximum value: 300

5

all-usergroup

Enable/disable automatically including this RADIUS server in all user groups.

option

-

disable

 

Option

Description

disable

Do not automatically include this server in a user group.

enable

Include this RADIUS server in every user group.

use-management-vdom

Enable/disable using management VDOM to send requests.

option

-

disable

 

Option

Description

enable

Send requests using the management VDOM.

disable

Send requests using the current VDOM.

nas-ip

IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.

ipv4-address

Not Specified

0.0.0.0

acct-interim-interval

Time in seconds between each accounting interim update message.

integer

Minimum value: 60 Maximum value: 86400

0

radius-coa

Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated.

option

-

disable

 

Option

Description

enable

Enable RADIUS CoA.

disable

Disable RADIUS CoA.

radius-port

RADIUS service port number.

integer

Minimum value: 0 Maximum value: 65535

0

h3c-compatibility

Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication.

option

-

disable

 

Option

Description

enable

Enable H3C compatibility.

disable

Disable H3C compatibility.

auth-type

Authentication methods/protocols permitted for this RADIUS server.

option

-

auto

 

Option

Description

auto

Use PAP, MSCHAP_v2, and CHAP (in that order).

ms_chap_v2

Microsoft Challenge Handshake Authentication Protocol version 2.

ms_chap

Microsoft Challenge Handshake Authentication Protocol.

chap

Challenge Handshake Authentication Protocol.

pap

Password Authentication Protocol.

source-ip

Source IP address for communications to the RADIUS server.

string

Maximum length: 63

username-case-sensitive

Enable/disable case sensitive user names.

option

-

disable

 

Option

Description

enable

Enable username case-sensitive.

disable

Disable username case-sensitive.

group-override-attr-type

RADIUS attribute type to override user group information.

option

-

 

Option

Description

filter-Id

Filter-Id

class

Class

class <name>

Class attribute name(s).

Class name.

string

Maximum length: 79

password-renewal

Enable/disable password renewal.

option

-

enable

 

Option

Description

enable

Enable password renewal.

disable

Disable password renewal.

password-encoding

Password encoding.

option

-

auto

 

Option

Description

auto

Use original password encoding.

ISO-8859-1

Use ISO-8859-1 password encoding.

acct-all-servers

Enable/disable sending of accounting messages to all configured servers .

option

-

disable

 

Option

Description

enable

Send accounting messages to all configured servers.

disable

Send accounting message only to servers that are confirmed to be reachable.

switch-controller-acct-fast-framedip-detect

Switch controller accounting message Framed-IP detection from DHCP snooping .

integer

Minimum value: 2 Maximum value: 600

2

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

switch-controller-service-type