Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiNAC-F 7.2.0 Administration Guide
    7.2.0
    7.6.0
    7.4.0
    7.2.0

    Local Servers

    Local Servers

    Disabled by default.

    Authentication:

    • FortiNAC’s Local Server processes RADIUS MAC and 802.1x EAP authentication without the need to proxy to an external RADIUS server.

    • FortiNAC-OS Requirement: "radius-local" option must be included in the "set allowaccess" command. See Open ports for details.

    Accounting:

    • The Local Server does not provide accounting. If accounting is required, FortiNAC can be configured to proxy Accounting traffic to an external RADIUS server.

    • FortiNAC-OS Requirement: "radius-acct" option must be included in the "set allowaccess" command. See Open ports for details.

    FortiNAC processes both RADIUS MAC and 802.1x EAP authentication locally and does not require an external RADIUS server.

    Supported 802.1x EAP modes:

    • TTLS/PAP
    • TTLS/MSCHAPv2
    • PEAP/MSCHAPv2
    • TLS

    Field

    Description

    Name

    Unique name used to identify the configuration.
    TLS Service Configuration

    Select the TLS Service Configuration to use.

    Allows configuration of TLS Protocol versions and Ciphers for EAP in the Local Server.

    TLS Details.

    • Name: Unique name used to identify the configuration.

    • Cerificate Alias: Select the Certificate to use when securing communication. Certificates may be uploaded using the Certificate management view.

    • Automatically Update Ciphers And Protocols on Upgrade: If true, the settings for both Ciphers and TLS Protocols will become managed by FortiNAC. Upon upgrade, the system will automatically configure the TLS Service Configuration to the latest recommended Ciphers and Protocols.

    • TLS Protocols: The list of TLS Protocols to allow by the server. At least one TLS Protocol must be selected. TLS Protocols must be supported by both client and server, so disabling Protocols may prevent some Persistent Agents from communicating.

    • Ciphers: The Cipher Suite to use when encoding messages using TLS. At least one Cipher must be selected. Ciphers must be supported by both client and server, so disabling Ciphers may prevent some Persistent Agents from communicating.

    Supported EAP Types

    Allows configuration of which EAP types are enabled. The field displays the EAP Types currently enabled. Click the drill down menu to view the available types. Click on a specific type to either enable or disable:

    • TLS - Requires the Endpoint Trust Certificate to be installed. For installation instructions see Certificate management

    • TTLS

    • PEAP

    • LEAP

    • MD5

    • GTC

    • MSCHAPV2
    Winbind Domain(s) For MSCHAPv2 authentication, specify the winbind instances for the allowed Active Directory server(s) or 'Allow Any' for authentication using any defined servers. Manage winbind instances in the Winbind tab. For more details on configuring winbinds see Winbind .
    Enable OCSP

    If enabled, EAP-TLS client certificates will have OCSP verification performed, using the URL embedded in the client certificate. Important: Certificates must contain the OCSP URL. Otherwise, client authentication will fail.

    Previous
    Next

    Local Servers

    Local Servers

    Disabled by default.

    Authentication:

    • FortiNAC’s Local Server processes RADIUS MAC and 802.1x EAP authentication without the need to proxy to an external RADIUS server.

    • FortiNAC-OS Requirement: "radius-local" option must be included in the "set allowaccess" command. See Open ports for details.

    Accounting:

    • The Local Server does not provide accounting. If accounting is required, FortiNAC can be configured to proxy Accounting traffic to an external RADIUS server.

    • FortiNAC-OS Requirement: "radius-acct" option must be included in the "set allowaccess" command. See Open ports for details.

    FortiNAC processes both RADIUS MAC and 802.1x EAP authentication locally and does not require an external RADIUS server.

    Supported 802.1x EAP modes:

    • TTLS/PAP
    • TTLS/MSCHAPv2
    • PEAP/MSCHAPv2
    • TLS

    Field

    Description

    Name

    Unique name used to identify the configuration.
    TLS Service Configuration

    Select the TLS Service Configuration to use.

    Allows configuration of TLS Protocol versions and Ciphers for EAP in the Local Server.

    TLS Details.

    • Name: Unique name used to identify the configuration.

    • Cerificate Alias: Select the Certificate to use when securing communication. Certificates may be uploaded using the Certificate management view.

    • Automatically Update Ciphers And Protocols on Upgrade: If true, the settings for both Ciphers and TLS Protocols will become managed by FortiNAC. Upon upgrade, the system will automatically configure the TLS Service Configuration to the latest recommended Ciphers and Protocols.

    • TLS Protocols: The list of TLS Protocols to allow by the server. At least one TLS Protocol must be selected. TLS Protocols must be supported by both client and server, so disabling Protocols may prevent some Persistent Agents from communicating.

    • Ciphers: The Cipher Suite to use when encoding messages using TLS. At least one Cipher must be selected. Ciphers must be supported by both client and server, so disabling Ciphers may prevent some Persistent Agents from communicating.

    Supported EAP Types

    Allows configuration of which EAP types are enabled. The field displays the EAP Types currently enabled. Click the drill down menu to view the available types. Click on a specific type to either enable or disable:

    • TLS - Requires the Endpoint Trust Certificate to be installed. For installation instructions see Certificate management

    • TTLS

    • PEAP

    • LEAP

    • MD5

    • GTC

    • MSCHAPV2
    Winbind Domain(s) For MSCHAPv2 authentication, specify the winbind instances for the allowed Active Directory server(s) or 'Allow Any' for authentication using any defined servers. Manage winbind instances in the Winbind tab. For more details on configuring winbinds see Winbind .
    Enable OCSP

    If enabled, EAP-TLS client certificates will have OCSP verification performed, using the URL embedded in the client certificate. Important: Certificates must contain the OCSP URL. Otherwise, client authentication will fail.

    Previous
    Next