RadSec Authentication
FortiGuest allows user authentication via RadSec, this authentication secures communication between RADIUS/TCP peers on the transport layer. This is particularly useful in roaming environments where RADIUS packets are transferred through different administrative domains and untrusted, potentially hostile networks.
-
Select RadSec as the server type and update the following fields in the Settings tab.
-
Support eduroam - Enable/disable Eduroam support with the RadSec server. See Adding RADIUS and RadSec for Eduroam.
-
Verify SSL Certificate CN - To enable verification, select this option.
-
RadSec Type - Select TLS or DTLS as the RadSec type.
-
Server IP Address - Enter the hostname or IP address of the server.
-
Authentication Port - Enter the authentication port number.
-
Secret - Enter and then confirm the shared secret.
-
-
Configure the User, that is, the realm/domain to which the user belongs. This option is not available if eduroam support is enabled. You can enable SSID mapping and add the SSIDs that will use the configured authentication policy, if there is no realm in the RADIUS request. Ensure that the Called-Station-ID attribute contains the SSID as part of the authentication request.
-
FortiGuest allows you to upload trusted CA certificates to validate your server, select a listed certificate or click Create to upload a new certificate.
-
Enter any Attribute Mappings required for the server and then map them to the usage profile you require and also set the account group. Click Add Mapping to configure the rules for the policy.
Note: To enable external RadSec authentication, a server certificate should be for both SSL client and server.