For RADIUS authentication and authorization, the RADIUS client (the FortiGate) passes the username, password, and NAS-IP to the RADIUS server in its access request. The RADIUS server authenticates and authorizes based on this information. Each RADIUS server can be configured with multiple NAS-IPs for authenticating different groups and NAS clients.
On the FortiGate, configuring the NAS-IP in the realm settings overrides the RADIUS server setting, allowing multiple NAS-IPs to be mapped to the same RADIUS server.
In this example, the user wants to present one FortiGate VDOM with different NAS-IPs to a single RADIUS server based on specific rules.
- Configure a RADIUS user and add it to a group:
config user radius edit "fac150" set server "172.16.200.150" set secret ******** set nas-ip 172.16.200.2 config accounting-server edit 1 set status enable set server "172.16.200.150" set secret ******** next end next end config user group edit "radgrp" set member "fac150" next end
- Configure a realm for the user with a different NAS-IP:
config vpn ssl web realm edit "realm1" set login-page '.......' set radius-server "fac150" set nas-ip 10.1.100.2 next end
- Configure SSL-VPN with an authentication rule that includes the user group and the realm:
config vpn ssl settings ... config authentication-rule edit 1 set groupd "radgrp" set portal "testportal1" set realm "realm1" next end end
- Create a firewall policy:
config firewall policy edit 1 set name "sslvpn1" ... set srcintf "ssl.vdom1" set groups "radgrp" next end
Because the RADIUS server and NAS-IP are specified in realm1, its NAS-IP is used for authentication.