Using multiple RADIUS servers
There are several ways to implement multiple RADIUS servers, and each has a different effect on user authentication. The three main options available are:
- Add a second (or third) RADIUS server in the same profile.
- Add a second RADIUS server profile, and add both to the same user group.
- Use two RADIUS server profiles for two user groups (one for each).
Adding a second server in a RADIUS profile
A second RADIUS server can be configured in the same RADIUS profile so in the event the first RADIUS server does not respond, the second server can be checked. If the first RADIUS server responds with an Access-Reject, no further servers are queried.
To add a second server in a RADIUS profile:
- Go to User & Authentication > RADIUS Servers and click Create New.
- Enter the following:
Name
RADIUS_with_2ndary
Authentication method
Default
Primary Server
IP/Name
1.1.1.1
Secret
Enter the password used to connect to the RADIUS server.
Secondary Server
IP/Name
2.2.2.2
Secret
Enter the password used to connect to the RADIUS server.
- Click OK.
Adding two RADIUS server profiles in the same user group
When two separate RADIUS profiles are added to a user group, the FortiGate sends an Access-Request simultaneously to both RADIUS servers, and authentication succeeds if either server sends back an Access-Accept. This example includes the settings from the previous example where one or more of the RADIUS server profiles has a secondary server configured. In this case, the secondary server profile, RADIUS_with_2ndary, is only checked if the primary server of this profile times out and the fac_radius_server profile does not return an Access-Accept.
To add two RADIUS server profiles in the same user group:
- Go to User & Authentication > RADIUS Servers, click Create New, and configure the RADIUS servers as needed (refer to the previous example).
- Go to User & Authentication > User Groups and click Create New.
- Enter the following:
Name
RADIUS_GROUP
Type
Firewall
- In the Remote Groups table, click Add.
- Select RADIUS_with_2ndary and click OK.
- Click Add, select fac_radius_server, then click OK.
- Click OK.
Using separate RADIUS server profiles for separate user groups
In this example, the FortiGate first evaluates if the user belongs to the first listed group (radius_group) in the policy. If the user fails to authenticate to this group, then the FortiGate checks if the user can successfully authenticate to the second user group (radius_group_2). Refer to the first and second examples for detailed instructions.
To use separate RADIUS server profiles for separate user groups:
- Configure the RADIUS server profiles:
- Go to User & Authentication > RADIUS Servers and click Create New.
- Configure two RADIUS servers, fac_radius_server and RADIUS_with_2ndary, as needed (refer to the previous example).
- Configure the firewall groups:
- Go to User & Authentication > User Groups and click Create New.
- Configure two firewall groups, one named radius_group with remote server member fac_radius_server, and one named radius_group_2 with remote server member RADIUS_with_2ndary (refer to the previous example).
- Configure the firewall policy:
- Go to Policy & Objects > Firewall Policy and click Create New.
- For Source, click User then select radius_group and radius_group_2. Click Address and select LAN address.
- Configure the other settings as needed.
- Click OK.