Fortinet white logo
Fortinet white logo

Administration Guide

Configuring a RADIUS server

Configuring a RADIUS server

A RADIUS server can be configured in the GUI by going to User & Authentication > RADIUS Servers, or in the CLI under config user radius.

Basic configuration

The following table summarizes the common RADIUS settings that can be configured in the GUI and CLI.

GUI field

CLI setting

Description

Name

edit <name>

Define the RADIUS server object within FortiOS.

Authentication method

set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}

Specify the authentication method, or select Default/auto to negotiate PAP, MSCHAP_v2, and CHAP in that order.

NAS IP

set nas-ip <IPv4_address>

Optional setting, also known as Calling-Station-Id.

Specify the IP address the FortiGate uses to communicate with the RADIUS server. If left unconfigured, the FortiGate will use the IP address of the interface that communicates with the RADIUS server.

Include in every user group

set all-usergroup {enable | disable}

Optional setting to add the RADIUS server to each user group.

This allows each user group to try and authenticate users against the RADIUS server if local authentication fails.

Primary Server

IP/Name

set server <string>

Enter the IP address or resolvable FQDN of the RADIUS server.

Secret

set secret <password>

Enter the password used to connect to the RADIUS server.

There is an option in the GUI to configure a second server, and a third server can be configured in the CLI (see Using multiple RADIUS servers).

Advanced settings

Advanced settings for RADIUS servers can be configured in the CLI. The following are some commonly used settings.

To edit the port used to connect with the RADIUS server:
config system global
    set radius-port <integer> 
end
To edit the default setting for password encoding and username case sensitivity:
config user radius
    edit <name>
        set password-encoding {auto | ISO-8859-1}
        set username-case-sensitive {enable | disable}
    next
end

password-encoding {auto | ISO-8859-1}

Set the password encoding to use the original encoding or ISO-8859-1 (default = auto). The auth-type must be auto or pap to change this setting.

username-case-sensitive {enable | disable}

Enable/disable case sensitive usernames (default = disable).

To configure a RADSEC client with TLS or TCP:
config user radius
    edit <name>
        set transport-protocol {udp | tcp | tls}
        set ca-cert <string>
        set client-cert <string>
        set tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}        
        set server-identity-check {enable | disable}
    next
end

transport-protocol {udp | tcp | tls}

Set the type of transport protocol to use:

  • udp: use UDP (default)
  • tcp: use TCP, but no TLS security
  • tls: use TLS over TCP

ca-cert <string>

Set the CA certificate of server to trust under TLS.

client-cert <string>

Set the client certificate to use under TLS.

tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the minimum supported protocol version for TLS connections:

  • default: follow the system global setting
  • SSLv3: use SSLv3
  • TLSv1: use TLSv1
  • TLSv1-1: use TLSv1.1
  • TLSv1-2: use TLSv1.2

server-identity-check {enable | disable}

Enable/disable RADIUS server identity check, which verifies the server domain name/IP address against the server certificate (default = enable).

For RADSEC over TLS and RADSEC over TCP example configurations, see Configuring a RADSEC client NEW.

Configuring a RADIUS server

Configuring a RADIUS server

A RADIUS server can be configured in the GUI by going to User & Authentication > RADIUS Servers, or in the CLI under config user radius.

Basic configuration

The following table summarizes the common RADIUS settings that can be configured in the GUI and CLI.

GUI field

CLI setting

Description

Name

edit <name>

Define the RADIUS server object within FortiOS.

Authentication method

set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}

Specify the authentication method, or select Default/auto to negotiate PAP, MSCHAP_v2, and CHAP in that order.

NAS IP

set nas-ip <IPv4_address>

Optional setting, also known as Calling-Station-Id.

Specify the IP address the FortiGate uses to communicate with the RADIUS server. If left unconfigured, the FortiGate will use the IP address of the interface that communicates with the RADIUS server.

Include in every user group

set all-usergroup {enable | disable}

Optional setting to add the RADIUS server to each user group.

This allows each user group to try and authenticate users against the RADIUS server if local authentication fails.

Primary Server

IP/Name

set server <string>

Enter the IP address or resolvable FQDN of the RADIUS server.

Secret

set secret <password>

Enter the password used to connect to the RADIUS server.

There is an option in the GUI to configure a second server, and a third server can be configured in the CLI (see Using multiple RADIUS servers).

Advanced settings

Advanced settings for RADIUS servers can be configured in the CLI. The following are some commonly used settings.

To edit the port used to connect with the RADIUS server:
config system global
    set radius-port <integer> 
end
To edit the default setting for password encoding and username case sensitivity:
config user radius
    edit <name>
        set password-encoding {auto | ISO-8859-1}
        set username-case-sensitive {enable | disable}
    next
end

password-encoding {auto | ISO-8859-1}

Set the password encoding to use the original encoding or ISO-8859-1 (default = auto). The auth-type must be auto or pap to change this setting.

username-case-sensitive {enable | disable}

Enable/disable case sensitive usernames (default = disable).

To configure a RADSEC client with TLS or TCP:
config user radius
    edit <name>
        set transport-protocol {udp | tcp | tls}
        set ca-cert <string>
        set client-cert <string>
        set tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}        
        set server-identity-check {enable | disable}
    next
end

transport-protocol {udp | tcp | tls}

Set the type of transport protocol to use:

  • udp: use UDP (default)
  • tcp: use TCP, but no TLS security
  • tls: use TLS over TCP

ca-cert <string>

Set the CA certificate of server to trust under TLS.

client-cert <string>

Set the client certificate to use under TLS.

tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the minimum supported protocol version for TLS connections:

  • default: follow the system global setting
  • SSLv3: use SSLv3
  • TLSv1: use TLSv1
  • TLSv1-1: use TLSv1.1
  • TLSv1-2: use TLSv1.2

server-identity-check {enable | disable}

Enable/disable RADIUS server identity check, which verifies the server domain name/IP address against the server certificate (default = enable).

For RADSEC over TLS and RADSEC over TCP example configurations, see Configuring a RADSEC client NEW.