SSL VPN with RADIUS on Windows NPS

This is an example configuration of SSL VPN that uses Windows Network Policy Server (NPS) as a RADIUS authentication server.

The NPS must already be configured to accept the FortiGate as a RADIUS client and the choice of authentication method, such as MS-CHAPv2. A shared key must also have been created.


The user is connecting from their PC to the FortiGate's port1 interface. RADIUS authentication occurs between the FortiGate and the Windows NPS, and the SSL-VPN connection is established once the authentication is successful.

Configure SSL-VPN with RADIUS on Windows NPS in the GUI

To configure the internal and external interfaces:
  1. Go to Network > Interfaces
  2. Edit the port1 interface and set IP/Network Mask to
  3. Edit the port2 interface and set IP/Network Mask to
  4. Click OK.
To create a firewall address:
  1. Go to Policy & Objects > Addresses and click Create New > Address.
  2. Set Name to
  3. Leave Type as Subnet
  4. Set IP/Netmask to
  5. Click OK.
To add the RADIUS server:
  1. Go to User & Authentication > RADIUS Servers and click Create New.