Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Using multiple RADIUS servers

There are several ways to implement multiple RADIUS servers, and each has a different effect on user authentication. The three main options available are:

Adding a second server in a RADIUS profile

A second RADIUS server can be configured in the same RADIUS profile so in the event the first RADIUS server does not respond, the second server can be checked. If the first RADIUS server responds with an Access-Reject, no further servers are queried.

To add a second server in a RADIUS profile:
  1. Go to User & Authentication > RADIUS Servers and click Create New.
  2. Enter the following:

    Name

    RADIUS_with_2ndary

    Authentication method

    Default

    Primary Server

    IP/Name

    1.1.1.1

    Secret

    Enter the password used to connect to the RADIUS server.

    Secondary Server

    IP/Name

    2.2.2.2

    Secret

    Enter the password used to connect to the RADIUS server.

  3. Click OK.

Adding two RADIUS server profiles in the same user group

When two separate RADIUS profiles are added to a user group, the FortiGate sends an Access-Request simultaneously to both RADIUS servers, and authentication succeeds if either server sends back an Access-Accept. This example includes the settings from the previous example where one or more of the RADIUS server profiles has a secondary server configured. In this case, the secondary server profile, RADIUS_with_2ndary, is only checked if the primary server of this profile times out and the fac_radius_server profile does not return an Access-Accept.

To add two RADIUS server profiles in the same user group:
  1. Go to User & Authentication > RADIUS Servers, click Create New, and configure the RADIUS servers as needed (refer to the previous example).
  2. Go to User & Authentication > User Groups and click Create New.
  3. Enter the following:

    Name

    RADIUS_GROUP

    Type

    Firewall

  4. In the Remote Groups table, click Add.
  5. Select RADIUS_with_2ndary and click OK.
  6. Click Add, select fac_radius_server, then click OK.

  7. Click OK.

Using separate RADIUS server profiles for separate user groups

In this example, the FortiGate first evaluates if the user belongs to the first listed group (radius_group) in the policy. If the user fails to authenticate to this group, then the FortiGate checks if the user can successfully authenticate to the second user group (radius_group_2). Refer to the first and second examples for detailed instructions.

To use separate RADIUS server profiles for separate user groups:
  1. Configure the RADIUS server profiles:
    1. Go to User & Authentication > RADIUS Servers and click Create New.
    2. Configure two RADIUS servers, fac_radius_server and RADIUS_with_2ndary, as needed (refer to the previous example).
  2. Configure the firewall groups:
    1. Go to User & Authentication > User Groups and click Create New.
    2. Configure two firewall groups, one named radius_group with remote server member fac_radius_server, and one named radius_group_2 with remote server member RADIUS_with_2ndary (refer to the previous example).

  3. Configure the firewall policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. For Source, click User then select radius_group and radius_group_2. Click Address and select LAN address.
    3. Configure the other settings as needed.
    4. Click OK.

Using multiple RADIUS servers

There are several ways to implement multiple RADIUS servers, and each has a different effect on user authentication. The three main options available are:

Adding a second server in a RADIUS profile

A second RADIUS server can be configured in the same RADIUS profile so in the event the first RADIUS server does not respond, the second server can be checked. If the first RADIUS server responds with an Access-Reject, no further servers are queried.

To add a second server in a RADIUS profile:
  1. Go to User & Authentication > RADIUS Servers and click Create New.
  2. Enter the following:

    Name

    RADIUS_with_2ndary

    Authentication method

    Default

    Primary Server

    IP/Name

    1.1.1.1

    Secret

    Enter the password used to connect to the RADIUS server.

    Secondary Server

    IP/Name

    2.2.2.2

    Secret

    Enter the password used to connect to the RADIUS server.

  3. Click OK.

Adding two RADIUS server profiles in the same user group

When two separate RADIUS profiles are added to a user group, the FortiGate sends an Access-Request simultaneously to both RADIUS servers, and authentication succeeds if either server sends back an Access-Accept. This example includes the settings from the previous example where one or more of the RADIUS server profiles has a secondary server configured. In this case, the secondary server profile, RADIUS_with_2ndary, is only checked if the primary server of this profile times out and the fac_radius_server profile does not return an Access-Accept.

To add two RADIUS server profiles in the same user group:
  1. Go to User & Authentication > RADIUS Servers, click Create New, and configure the RADIUS servers as needed (refer to the previous example).
  2. Go to User & Authentication > User Groups and click Create New.
  3. Enter the following:

    Name

    RADIUS_GROUP

    Type

    Firewall

  4. In the Remote Groups table, click Add.
  5. Select RADIUS_with_2ndary and click OK.
  6. Click Add, select fac_radius_server, then click OK.

  7. Click OK.

Using separate RADIUS server profiles for separate user groups

In this example, the FortiGate first evaluates if the user belongs to the first listed group (radius_group) in the policy. If the user fails to authenticate to this group, then the FortiGate checks if the user can successfully authenticate to the second user group (radius_group_2). Refer to the first and second examples for detailed instructions.

To use separate RADIUS server profiles for separate user groups:
  1. Configure the RADIUS server profiles:
    1. Go to User & Authentication > RADIUS Servers and click Create New.
    2. Configure two RADIUS servers, fac_radius_server and RADIUS_with_2ndary, as needed (refer to the previous example).
  2. Configure the firewall groups:
    1. Go to User & Authentication > User Groups and click Create New.
    2. Configure two firewall groups, one named radius_group with remote server member fac_radius_server, and one named radius_group_2 with remote server member RADIUS_with_2ndary (refer to the previous example).

  3. Configure the firewall policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. For Source, click User then select radius_group and radius_group_2. Click Address and select LAN address.
    3. Configure the other settings as needed.
    4. Click OK.