Configuring a RADIUS server
A RADIUS server can be configured in the GUI by going to User & Authentication > RADIUS Servers, or in the CLI under config user radius
.
Basic configuration
The following table summarizes the common RADIUS settings that can be configured in the GUI and CLI.
GUI field |
CLI setting |
Description |
---|---|---|
Name |
edit <name> |
Define the RADIUS server object within FortiOS. |
Authentication method |
set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap} |
Specify the authentication method, or select Default/ |
NAS IP |
set nas-ip <IPv4_address> |
Optional setting, also known as Calling-Station-Id. Specify the IP address the FortiGate uses to communicate with the RADIUS server. If left unconfigured, the FortiGate will use the IP address of the interface that communicates with the RADIUS server. |
Include in every user group |
set all-usergroup {enable | disable} |
Optional setting to add the RADIUS server to each user group. This allows each user group to try and authenticate users against the RADIUS server if local authentication fails. |
Primary Server |
||
IP/Name |
set server <string> |
Enter the IP address or resolvable FQDN of the RADIUS server. |
Secret |
set secret <password> |
Enter the password used to connect to the RADIUS server. |
There is an option in the GUI to configure a second server, and a third server can be configured in the CLI (see Using multiple RADIUS servers).
Advanced settings
Advanced settings for RADIUS servers can be configured in the CLI. The following are some commonly used settings.
To edit the port used to connect with the RADIUS server:
config system global set radius-port <integer> end
To edit the default setting for password encoding and username case sensitivity:
config user radius edit <name> set password-encoding {auto | ISO-8859-1} set username-case-sensitive {enable | disable} next end
password-encoding {auto | ISO-8859-1} |
Set the password encoding to use the original encoding or ISO-8859-1 (default = auto). The |
username-case-sensitive {enable | disable} |
Enable/disable case sensitive usernames (default = disable). |
To configure a RADSEC client with TLS or TCP:
config user radius edit <name> set transport-protocol {udp | tcp | tls} set ca-cert <string> set client-cert <string> set tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2} set server-identity-check {enable | disable} next end
transport-protocol {udp | tcp | tls} |
Set the type of transport protocol to use:
|
ca-cert <string> |
Set the CA certificate of server to trust under TLS. |
client-cert <string> |
Set the client certificate to use under TLS. |
tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2} |
Set the minimum supported protocol version for TLS connections:
|
server-identity-check {enable | disable} |
Enable/disable RADIUS server identity check, which verifies the server domain name/IP address against the server certificate (default = enable). |
For RADSEC over TLS and RADSEC over TCP example configurations, see Configuring a RADSEC client NEW.