Fortinet white logo
Fortinet white logo

Administration Guide

RADIUS AVPs and VSAs

RADIUS AVPs and VSAs

This topic describes RADIUS Attribute Value Pairs (AVPs) and Vendor-Specific Attributes (VSAs).

AVPs

RADIUS packets include a set of AVPs to identify information about the user, their location, and other information. The IETF defined a set of 255 standard attributes, which are well known and come in the form of Type, Length, Value (for more details, refer to RFC 2865). Of the standard 255, the FortiGate sends the following RADIUS attributes:

RADIUS attribute number

Name

Description

1

User-Name

Name of the user being authenticated by the RADIUS server.

4

NAS-IP-Address

IP address of the network access server (NAS) that is requesting authentication. The NAS is the FortiGate.

8

Framed-IP-Address

IP address to be configured for the user, by sending the IP address of a user to the RADIUS server in the Access-Request packet.

25

Class

Used in accounting packets and requests for firewall, WiFi, and proxy authentication. The attribute is returned in the Access-Accept message and is added to all accounting packets.

26

Fortinet-VSA

See VSAs.

32

NAS-Identifier

Identifier or IP address of the NAS that is requesting authentication. The NAS is the FortiGate.

42

Acct-Input-Octets

Number of octets received from the port over the course of this service being provided. Used to charge the user for the amount of traffic they used.

43

Acct-Output-Octets

Number of octets sent to the port while delivering this service. Used to charge the user for the amount of traffic they used.

44

Acct-Session-Id

Unique number assigned to each start and stop record to make it easy to match them, and to eliminate duplicate records.

55

Event-Timestamp

Records the time that the event occurred on the NAS. The timestamp is measured in seconds since January 1, 1970 00:00 UTC. Before the Event-Timestamp attribute can be sent in a packet, make sure that the correct time is set on the FortiGate.

VSAs

Some vendors want or need to send attributes that do not match any of the defined IETF attributes. This can be accomplished by using RADIUS attribute type 26, which allows a vendor to encapsulate their own specific attributes in this standard AVP.

In order to support VSAs, the RADIUS server requires a dictionary to define the VSAs. This dictionary is typically supplied by the client or server vendor.

The Fortinet RADIUS vendor ID is 12356 and contains the following attributes:

Attribute name

Attribute number

Attribute value format

Fortinet-Group-Name

1

String

Fortinet-Client-IP-Address

2

IP address

Fortinet-Vdom-Name*

3

String

Fortinet-Client-IPv6-Address

4

Octets

Fortinet-Interface-Name

5

String

Fortinet-Access-Profile

6

String

Fortinet-SSID

7

String

Fortinet-AP-Name

8

String

Fortinet-FAC-Auth-Status

11

String

Fortinet-FAC-Token-ID

12

String

Fortinet-FAC-Challenge-Code

15

String

Fortinet-Webfilter-Category-Allow

16

String

Fortinet-Webfilter-Category-Block

17

Octets

Fortinet-Webfilter-Category-Monitor

18

Octets

Fortinet-AppCtrl-Category-Allow

19

Octets

Fortinet-AppCtrl-Category-Block

20

Octets

Fortinet-AppCtrl-Risk-Allow

21

Octets

Fortinet-AppCtrl-Risk-Block

22

Octets

Fortinet-WirelessController-Device-MAC

23

Ether

Fortinet-WirelessController-WTP-ID

24

String

Fortinet-WirelessController-Assoc-Time

25

Date

Fortinet-FortiWAN-AVPair

26

String

Fortinet-FDD-Access-Profile

30

String

Fortinet-FDD-Trusted-Hosts

31

String

Fortinet-FDD-SPP-Name

32

String

Fortinet-FDD-Is-System-Admin

33

String

Fortinet-FDD-Is-SPP-Admin

34

String

Fortinet-FDD-SPP-Policy-Group

35

String

Fortinet-FDD-Allow-API-Access

36

String

Fortinet-Fpc-User-Role

40

String

Fortinet-Tenant-Identification

41

String

Fortinet-Host-Port-AVPair

42

String

* For Fortinet-Vdom-Name, users can be tied to a specific VDOM on the FortiGate. Refer to the documentation provided by your RADIUS server for configuration details.

RADIUS AVPs and VSAs

RADIUS AVPs and VSAs

This topic describes RADIUS Attribute Value Pairs (AVPs) and Vendor-Specific Attributes (VSAs).

AVPs

RADIUS packets include a set of AVPs to identify information about the user, their location, and other information. The IETF defined a set of 255 standard attributes, which are well known and come in the form of Type, Length, Value (for more details, refer to RFC 2865). Of the standard 255, the FortiGate sends the following RADIUS attributes:

RADIUS attribute number

Name

Description

1

User-Name

Name of the user being authenticated by the RADIUS server.

4

NAS-IP-Address

IP address of the network access server (NAS) that is requesting authentication. The NAS is the FortiGate.

8

Framed-IP-Address

IP address to be configured for the user, by sending the IP address of a user to the RADIUS server in the Access-Request packet.

25

Class

Used in accounting packets and requests for firewall, WiFi, and proxy authentication. The attribute is returned in the Access-Accept message and is added to all accounting packets.

26

Fortinet-VSA

See VSAs.

32

NAS-Identifier

Identifier or IP address of the NAS that is requesting authentication. The NAS is the FortiGate.

42

Acct-Input-Octets

Number of octets received from the port over the course of this service being provided. Used to charge the user for the amount of traffic they used.

43

Acct-Output-Octets

Number of octets sent to the port while delivering this service. Used to charge the user for the amount of traffic they used.

44

Acct-Session-Id

Unique number assigned to each start and stop record to make it easy to match them, and to eliminate duplicate records.

55

Event-Timestamp

Records the time that the event occurred on the NAS. The timestamp is measured in seconds since January 1, 1970 00:00 UTC. Before the Event-Timestamp attribute can be sent in a packet, make sure that the correct time is set on the FortiGate.

VSAs

Some vendors want or need to send attributes that do not match any of the defined IETF attributes. This can be accomplished by using RADIUS attribute type 26, which allows a vendor to encapsulate their own specific attributes in this standard AVP.

In order to support VSAs, the RADIUS server requires a dictionary to define the VSAs. This dictionary is typically supplied by the client or server vendor.

The Fortinet RADIUS vendor ID is 12356 and contains the following attributes:

Attribute name

Attribute number

Attribute value format

Fortinet-Group-Name

1

String

Fortinet-Client-IP-Address

2

IP address

Fortinet-Vdom-Name*

3

String

Fortinet-Client-IPv6-Address

4

Octets

Fortinet-Interface-Name

5

String

Fortinet-Access-Profile

6

String

Fortinet-SSID

7

String

Fortinet-AP-Name

8

String

Fortinet-FAC-Auth-Status

11

String

Fortinet-FAC-Token-ID

12

String

Fortinet-FAC-Challenge-Code

15

String

Fortinet-Webfilter-Category-Allow

16

String

Fortinet-Webfilter-Category-Block

17

Octets

Fortinet-Webfilter-Category-Monitor

18

Octets

Fortinet-AppCtrl-Category-Allow

19

Octets

Fortinet-AppCtrl-Category-Block

20

Octets

Fortinet-AppCtrl-Risk-Allow

21

Octets

Fortinet-AppCtrl-Risk-Block

22

Octets

Fortinet-WirelessController-Device-MAC

23

Ether

Fortinet-WirelessController-WTP-ID

24

String

Fortinet-WirelessController-Assoc-Time

25

Date

Fortinet-FortiWAN-AVPair

26

String

Fortinet-FDD-Access-Profile

30

String

Fortinet-FDD-Trusted-Hosts

31

String

Fortinet-FDD-SPP-Name

32

String

Fortinet-FDD-Is-System-Admin

33

String

Fortinet-FDD-Is-SPP-Admin

34

String

Fortinet-FDD-SPP-Policy-Group

35

String

Fortinet-FDD-Allow-API-Access

36

String

Fortinet-Fpc-User-Role

40

String

Fortinet-Tenant-Identification

41

String

Fortinet-Host-Port-AVPair

42

String

* For Fortinet-Vdom-Name, users can be tied to a specific VDOM on the FortiGate. Refer to the documentation provided by your RADIUS server for configuration details.