Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.0 Administration Guide
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Configuring a RADIUS server

    Configuring a RADIUS server

    A RADIUS server can be configured in the GUI by going to User & Authentication > RADIUS Servers, or in the CLI under config user radius.

    Basic configuration

    The following table summarizes the common RADIUS settings that can be configured in the GUI and CLI.

    GUI field

    CLI setting

    Description

    Name

    edit <name>

    Define the RADIUS server object within FortiOS.

    Authentication method

    set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}

    Specify the authentication method, or select Default/auto to negotiate PAP, MSCHAP_v2, and CHAP in that order.

    NAS IP

    set nas-ip <IPv4_address>

    Optional setting, also known as Calling-Station-Id.

    Specify the IP address the FortiGate uses to communicate with the RADIUS server. If left unconfigured, the FortiGate will use the IP address of the interface that communicates with the RADIUS server.

    Include in every user group

    set all-usergroup {enable | disable}

    Optional setting to add the RADIUS server to each user group.

    This allows each user group to try and authenticate users against the RADIUS server if local authentication fails.

    Primary Server

    IP/Name

    set server <string>

    Enter the IP address or resolvable FQDN of the RADIUS server.

    Secret

    set secret <password>

    Enter the password used to connect to the RADIUS server.

    There is an option in the GUI to configure a second server, and a third server can be configured in the CLI (see Using multiple RADIUS servers).

    Advanced settings

    Advanced settings for RADIUS servers can be configured in the CLI. The following are some commonly used settings.

    To edit the port used to connect with the RADIUS server:
    config system global
    set radius-port <integer> 
end
    To edit the default setting for password encoding and username case sensitivity:
    config user radius
    edit <name>
        set password-encoding {auto | ISO-8859-1}
        set username-case-sensitive {enable | disable}
    next
end

    password-encoding {auto | ISO-8859-1}

    Set the password encoding to use the original encoding or ISO-8859-1 (default = auto). The auth-type must be auto or pap to change this setting.

    username-case-sensitive {enable | disable}

    Enable/disable case sensitive usernames (default = disable).
    To configure different transport protocols:
    config user radius
    edit <name>
        set transport-protocol {udp | tcp | tls}
    next
end

    transport-protocol {udp | tcp | tls}

    Set the type of transport protocol to use:

    • udp: use UDP (default)
    • tcp: use TCP, but no TLS security
    • tls: use TLS over TCP
    To configure a RADSEC client with TLS:
    config user radius
    edit <name>
        set transport-protocol tls
        set ca-cert <string>
        set client-cert <string>
        set tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}        
        set server-identity-check {enable | disable}
    next
end

    ca-cert <string>

    Set the CA certificate of server to trust under TLS.

    client-cert <string>

    Set the client certificate to use under TLS.

    tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

    Set the minimum supported protocol version for TLS connections:

    • default: follow the system global setting
    • SSLv3: use SSLv3
    • TLSv1: use TLSv1
    • TLSv1-1: use TLSv1.1
    • TLSv1-2: use TLSv1.2

    server-identity-check {enable | disable}

    Enable/disable RADIUS server identity check, which verifies the server domain name/IP address against the server certificate (default = enable).

    For RADSEC over TLS example configuration, see Configuring a RADSEC client.

    Caution

    It is best practice to enable RADSEC over TLS whenever the FortiGate and RADIUS connection must pass through unencrypted transport. When using TCP and UDP transport modes, it is recommended to ensure the FortiGate and RADIUS connection passes through a trusted network or the connection passes through an encrypted tunnel over untrusted networks.
    Note

    To account for dynamic IP address changes, such as those governed by SD-WAN rules, interface names can be used to define the source IP addresses in RADIUS, LDAP, and DNS configurations using the source-ip-interface command. See Implement the interface name as the source IP address in RADIUS, LDAP, and DNS configurations NEW.

    RADIUS Connection

    When using TCP or UDP as transport, it is possible for the RADIUS protocol to be compromised by the vulnerability described in CVE-2024-3596. In order to protect against this RADIUS vulnerability, as a RADIUS client, FortiGate will:

    1. 1. Force the validation of message authenticator.

    2. 2. Reject RADIUS response with unrecognized proxy-state attribute.

    Message authenticator checking is made mandatory under UDP/TCP. It is not mandatory when using TLS.

    Therefore, if FortiGate is using UDP/TCP mode without RADSEC, the RADIUS server should be patched to ensure the message authenticator attribute is used in its RADIUS messages. Check with your RADIUS server vendor for information about support for the message authenticator attribute.

    Caution

    It is best practice to enable RADSEC over TLS whenever the FortiGate and RADIUS connection must pass through unencrypted transport. When using TCP and UDP transport modes, it is recommended to ensure the FortiGate and RADIUS connection passes through a trusted network or the connection passes through an encrypted tunnel over untrusted networks.
    Previous
    Next

    Configuring a RADIUS server

    Configuring a RADIUS server

    A RADIUS server can be configured in the GUI by going to User & Authentication > RADIUS Servers, or in the CLI under config user radius.

    Basic configuration

    The following table summarizes the common RADIUS settings that can be configured in the GUI and CLI.

    GUI field

    CLI setting

    Description

    Name

    edit <name>

    Define the RADIUS server object within FortiOS.

    Authentication method

    set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}

    Specify the authentication method, or select Default/auto to negotiate PAP, MSCHAP_v2, and CHAP in that order.

    NAS IP

    set nas-ip <IPv4_address>

    Optional setting, also known as Calling-Station-Id.

    Specify the IP address the FortiGate uses to communicate with the RADIUS server. If left unconfigured, the FortiGate will use the IP address of the interface that communicates with the RADIUS server.

    Include in every user group

    set all-usergroup {enable | disable}

    Optional setting to add the RADIUS server to each user group.

    This allows each user group to try and authenticate users against the RADIUS server if local authentication fails.

    Primary Server

    IP/Name

    set server <string>

    Enter the IP address or resolvable FQDN of the RADIUS server.

    Secret

    set secret <password>

    Enter the password used to connect to the RADIUS server.

    There is an option in the GUI to configure a second server, and a third server can be configured in the CLI (see Using multiple RADIUS servers).

    Advanced settings

    Advanced settings for RADIUS servers can be configured in the CLI. The following are some commonly used settings.

    To edit the port used to connect with the RADIUS server:
    config system global
    set radius-port <integer> 
end
    To edit the default setting for password encoding and username case sensitivity:
    config user radius
    edit <name>
        set password-encoding {auto | ISO-8859-1}
        set username-case-sensitive {enable | disable}
    next
end

    password-encoding {auto | ISO-8859-1}

    Set the password encoding to use the original encoding or ISO-8859-1 (default = auto). The auth-type must be auto or pap to change this setting.

    username-case-sensitive {enable | disable}

    Enable/disable case sensitive usernames (default = disable).
    To configure different transport protocols:
    config user radius
    edit <name>
        set transport-protocol {udp | tcp | tls}
    next
end

    transport-protocol {udp | tcp | tls}

    Set the type of transport protocol to use:

    • udp: use UDP (default)
    • tcp: use TCP, but no TLS security
    • tls: use TLS over TCP
    To configure a RADSEC client with TLS:
    config user radius
    edit <name>
        set transport-protocol tls
        set ca-cert <string>
        set client-cert <string>
        set tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}        
        set server-identity-check {enable | disable}
    next
end

    ca-cert <string>

    Set the CA certificate of server to trust under TLS.

    client-cert <string>

    Set the client certificate to use under TLS.

    tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

    Set the minimum supported protocol version for TLS connections:

    • default: follow the system global setting
    • SSLv3: use SSLv3
    • TLSv1: use TLSv1
    • TLSv1-1: use TLSv1.1
    • TLSv1-2: use TLSv1.2

    server-identity-check {enable | disable}

    Enable/disable RADIUS server identity check, which verifies the server domain name/IP address against the server certificate (default = enable).

    For RADSEC over TLS example configuration, see Configuring a RADSEC client.

    Caution

    It is best practice to enable RADSEC over TLS whenever the FortiGate and RADIUS connection must pass through unencrypted transport. When using TCP and UDP transport modes, it is recommended to ensure the FortiGate and RADIUS connection passes through a trusted network or the connection passes through an encrypted tunnel over untrusted networks.
    Note

    To account for dynamic IP address changes, such as those governed by SD-WAN rules, interface names can be used to define the source IP addresses in RADIUS, LDAP, and DNS configurations using the source-ip-interface command. See Implement the interface name as the source IP address in RADIUS, LDAP, and DNS configurations NEW.

    RADIUS Connection

    When using TCP or UDP as transport, it is possible for the RADIUS protocol to be compromised by the vulnerability described in CVE-2024-3596. In order to protect against this RADIUS vulnerability, as a RADIUS client, FortiGate will:

    1. 1. Force the validation of message authenticator.

    2. 2. Reject RADIUS response with unrecognized proxy-state attribute.

    Message authenticator checking is made mandatory under UDP/TCP. It is not mandatory when using TLS.

    Therefore, if FortiGate is using UDP/TCP mode without RADSEC, the RADIUS server should be patched to ensure the message authenticator attribute is used in its RADIUS messages. Check with your RADIUS server vendor for information about support for the message authenticator attribute.

    Caution

    It is best practice to enable RADSEC over TLS whenever the FortiGate and RADIUS connection must pass through unencrypted transport. When using TCP and UDP transport modes, it is recommended to ensure the FortiGate and RADIUS connection passes through a trusted network or the connection passes through an encrypted tunnel over untrusted networks.
    Previous
    Next