Fortinet black logo

New Features

Add RADIUS MAC delimiter options

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:199230
Download PDF

Add RADIUS MAC delimiter options

In the wireless controller settings, options have been added to specify the delimiter used for various RADIUS attributes for RADIUS MAC authentication and accounting. The options are hyphen, single-hyphen, colon, or none.

config wireless-controller vap
    edit <name>
        set mac-username-delimiter {hyphen | single-hyphen | colon | none}
        set mac-password-delimiter {hyphen | single-hyphen | colon | none}
        set mac-calling-station-delimiter {hyphen | single-hyphen | colon | none}
        set mac-called-station-delimiter {hyphen | single-hyphen | colon | none}
        set mac-case MAC {uppercase | lowercase}
    next
end

Example

In this example, a username (single-hypen, lowercase) and password (colon, lowercase) are configured on a FreeRADIUS server.

To configure RADIUS MAC delimiter options:
  1. Configure the VAP:
    config wireless-controller vap
        edit "wifi"
            set ssid "starr-fgt4-1"
            set security wpa2-only-enterprise
            set mac-username-delimiter single-hyphen
            set mac-password-delimiter colon
            set mac-calling-station-delimiter none
            set mac-called-station-delimiter single-hyphen
            set mac-case lowercase
            set radius-mac-auth enable
            set radius-mac-auth-server "peap"
            set auth radius
            set radius-server "peap"
        next
    end
  2. On the FreeRADIUS server, configure a username (such as 1c872c-b7f64c), and a cleartext password (such as 1c:87:2c:b7:f6:4c).
  3. After the client passes RADIUS MAC authentication, verify the RADIUS server log. The FortiGate sent the username as 1c872c-b7f64c and the password as 1c:87:2c:b7:f6:4c:
    Fri Mar 12 10:28:52 2021 : Auth: (0) Login OK: [1c872c-b7f64c/1c:87:2c:b7:f6:4c] (from client fwf port 0 cli 1c872cb7f64c)
  4. Once the client is connected, verify the accounting log on the accounting server. The FortiGate sent the called station ID as 906cac-c127d8:starr-fgt4-1 and the calling station ID as 1c872cb7f64c:
    Fri Mar 12 10:33:02 2021
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        User-Name = "tester"
        NAS-IP-Address = 0.0.0.0
        NAS-Identifier = "127.0.0.1/15246-wifi"
        Called-Station-Id = "906cac-c127d8:starr-fgt4-1"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        NAS-Port = 1
        Fortinet-SSID = "starr-fgt4-1"
        Fortinet-AP-Name = "FWF61E-WIFI0"
        Calling-Station-Id = "1c872cb7f64c"
        Connect-Info = "CONNECT 0/0Mbps(Tx/Rx) 11AC"
        Acct-Session-Id = "6048FE9800000064"
        Acct-Multi-Session-Id = "4AD14F4FCBBDDDFF"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027076
        WLAN-AKM-Suite = 1027073
        Framed-IP-Address = 10.10.80.106
        Fortinet-WirelessController-Device-MAC = 0x1c872cb7f64c
        Fortinet-WirelessController-WTP-ID = "FWF61E4Q00000000"
        Fortinet-WirelessController-Assoc-Time = "Mar 12 2021 10:32:59 PST"
        Event-Timestamp = "Mar 12 2021 10:33:02 PST"
        Acct-Delay-Time = 0
        Acct-Unique-Session-Id = "51c531ce7fd0e92cbf4f3cf06f7ce372"
        Timestamp = 1615573982

Add RADIUS MAC delimiter options

In the wireless controller settings, options have been added to specify the delimiter used for various RADIUS attributes for RADIUS MAC authentication and accounting. The options are hyphen, single-hyphen, colon, or none.

config wireless-controller vap
    edit <name>
        set mac-username-delimiter {hyphen | single-hyphen | colon | none}
        set mac-password-delimiter {hyphen | single-hyphen | colon | none}
        set mac-calling-station-delimiter {hyphen | single-hyphen | colon | none}
        set mac-called-station-delimiter {hyphen | single-hyphen | colon | none}
        set mac-case MAC {uppercase | lowercase}
    next
end

Example

In this example, a username (single-hypen, lowercase) and password (colon, lowercase) are configured on a FreeRADIUS server.

To configure RADIUS MAC delimiter options:
  1. Configure the VAP:
    config wireless-controller vap
        edit "wifi"
            set ssid "starr-fgt4-1"
            set security wpa2-only-enterprise
            set mac-username-delimiter single-hyphen
            set mac-password-delimiter colon
            set mac-calling-station-delimiter none
            set mac-called-station-delimiter single-hyphen
            set mac-case lowercase
            set radius-mac-auth enable
            set radius-mac-auth-server "peap"
            set auth radius
            set radius-server "peap"
        next
    end
  2. On the FreeRADIUS server, configure a username (such as 1c872c-b7f64c), and a cleartext password (such as 1c:87:2c:b7:f6:4c).
  3. After the client passes RADIUS MAC authentication, verify the RADIUS server log. The FortiGate sent the username as 1c872c-b7f64c and the password as 1c:87:2c:b7:f6:4c:
    Fri Mar 12 10:28:52 2021 : Auth: (0) Login OK: [1c872c-b7f64c/1c:87:2c:b7:f6:4c] (from client fwf port 0 cli 1c872cb7f64c)
  4. Once the client is connected, verify the accounting log on the accounting server. The FortiGate sent the called station ID as 906cac-c127d8:starr-fgt4-1 and the calling station ID as 1c872cb7f64c:
    Fri Mar 12 10:33:02 2021
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        User-Name = "tester"
        NAS-IP-Address = 0.0.0.0
        NAS-Identifier = "127.0.0.1/15246-wifi"
        Called-Station-Id = "906cac-c127d8:starr-fgt4-1"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        NAS-Port = 1
        Fortinet-SSID = "starr-fgt4-1"
        Fortinet-AP-Name = "FWF61E-WIFI0"
        Calling-Station-Id = "1c872cb7f64c"
        Connect-Info = "CONNECT 0/0Mbps(Tx/Rx) 11AC"
        Acct-Session-Id = "6048FE9800000064"
        Acct-Multi-Session-Id = "4AD14F4FCBBDDDFF"
        WLAN-Pairwise-Cipher = 1027076
        WLAN-Group-Cipher = 1027076
        WLAN-AKM-Suite = 1027073
        Framed-IP-Address = 10.10.80.106
        Fortinet-WirelessController-Device-MAC = 0x1c872cb7f64c
        Fortinet-WirelessController-WTP-ID = "FWF61E4Q00000000"
        Fortinet-WirelessController-Assoc-Time = "Mar 12 2021 10:32:59 PST"
        Event-Timestamp = "Mar 12 2021 10:33:02 PST"
        Acct-Delay-Time = 0
        Acct-Unique-Session-Id = "51c531ce7fd0e92cbf4f3cf06f7ce372"
        Timestamp = 1615573982