Configuration
This view is used to configure FortiNAC as the 802.1x EAP termination point.
Note:
- Requires Server Certificate to be installed for EAP authentication. For installation instructions see Certificate management.
- FortiNAC can be configured to authenticate RADIUS using either the built-in local RADIUS server, external server(s) or a combination of both. To configure FortiNAC to proxy 802.1x packets to an external RADIUS server for EAP termination, see RADIUS
- Multiple server configurations is supported.
Field |
Description |
---|---|
Service Info |
|
Status |
Displays the current server status.
|
Toggle Service Status | Enable/Disable processing of local RADIUS requests |
Details & Logs |
Displays the radius service log, the radius specific output of the FNAC server log, and the system journal. The view will tag important failure messages in red, and includes a filter control to both show only lines w/ the specified string (the 'Filter' button), or to color lines containing the specified string (the 'Mark' button), to keep context. RADIUS Service DetailsThis view shows FortiNAC server logs (the most recent 3000 lines). Can be used for both Local and Proxy Virtual Server configurations. These logs do not apply to Legacy Proxy configurations.
Logs can be filtered using the controls at the top of the view.
|
General Settings | |
Authentication Port |
RADIUS service will listen for authentication requests on the specified port. This is typically port 1812 or 1645. Note: For Eduroam enabled networks, port 1812 must be used. Important: If external RADIUS servers are also defined, the authentication port must be set to a different value than the RADIUS proxy ports. |
Proxy Accounting |
If enabled, the RADIUS service will listen for accounting packets on the specified authentication port +1. As the authentication port is typically 1812 or 1645, this is typically 1813 or 1646. FortiNAC proxies the packets to a customer-owned (external) RADIUS server. In some RADIUS integrations, FortiNAC can also process the accounting packets. Refer to the integration guides in the Document Library for details. Note: RADIUS accounting is only supported by virtual servers of type "Proxy". It is not supported for Local virtual servers. |
Proxy MAB Requests |
If enabled, proxy virtual servers will proxy all requests, including MAC authentication Bypass (MAB). When disabled, proxy virtual servers will only proxy 802.1x requests, and will process MAB requests locally. |
Activity Monitoring |
Enable activity monitoring to track authentication statistics. This exposes a new tab in Network > RADIUS > Activity tab. See Activity. Alternatively, add the RADIUS widget to a dashboard panel to view current, timeline or historical comparison data. The timeline and historical comparison views will become useful after activity monitoring has been enabled for some time. |
Authentication Failure Events |
Enable to generate an event for each authentication failure. This information can be exported using an external log receiver such as FortiSIEM or FortiAnalyzer. Independent of Activity Monitoring, enabling this will only generate the event. Note: The ‘RADIUS Authentication Failure’ event type must also be configured in the Event Management view to direct failure events to internal logging and/or external log receivers configured in the Log Receivers view. |
Legacy Proxy Configuration |
Enable to see the legacy Proxy view.
The RADIUS service directly supports the ability to proxy authentication requests and accounting packets to another server by creating a server configuration in the Virtual Servers tab of type 'Proxy'. In earlier releases, the FortiNAC server itself would listen for and forward RADIUS packets rather than the RADIUS service. When enabled, this is configured via the 'Legacy Proxy' tab. Devices configured to use Legacy Proxy should be updated to use the new proxy functionality, as the Legacy Proxy is deprecated and will be removed in a future release. Note: Disabling this control will do this automatically using the Virtual Server(s) created during upgrade that match the primary/secondary proxy servers used by Legacy Proxy for that device, as well as monitoring the ports configured in the 'Legacy Proxy' tab for disabled RADS (sic) traffic. If Legacy Proxy Configuration is re-enabled, these devices will need to be manually reconfigured to resume using Legacy Proxy. RELATED INFO: The RFC_Var vendor attribute group is selected by default for devices converted from Legacy Proxy mode, and should be modified manually if this is not the appropriate attribute group for the device. |
Security |
|
RADIUS over TLS (RadSec) Note: Introduced in v7.2.1 |
Enables a RadSec listener in the RADIUS service that can receive and process secure RadSec communications from devices that support it. The listener is created on the RadSec authentication port.
Valid certificates and keys will need to be configured in the System > Certificate Management view for a connection to be established with the client sending authentication request. |
Discard Unencrypted Requests |
Determines if standard RADIUS packets will still be processed or if only RadSec packets are processed. If this is enabled, a listener will not be created on the authentication port specified in the General Settings section above Security. |
Client Certificate Required |
When enabled, RadSec communication may only be established when the supplicant provides a valid client certificate. This will require a valid CA Certificate be uploaded in the System > Certificate Management > Trusted Certificates view. When disabled, RadSec communication may be established with only the server certificate being validated. |
RadSec Authentication Port |
The RADIUS service will listen on for encrypted authentication requests this port. This is typically port 2083. |
Ciphers/Protocols |
A secure RadSec channel can only be established when the client and server peers both agree on a common cipher and protocol to use. The connection can only be made when the supplicant supports ciphers and protocol versions specified in this section.
Note: If debug is enabled for the RADIUS service, when RadSec is enabled you will see additional listeners indicating FortiNAC is ready to receive and process RadSec requests, noted by the listeners containing “(TLS)”:
|
Debug & Troubleshooting |
Show/hide controls for enabling RADIUS debug. Both RADIUS service and FNAC server debug can be enabled independently. The former is a good starting place for authentication and service startup failures. The latter is useful when authentication succeeds up to the post-auth phase where FNAC does post-auth processing and can diagnose why FNAC returns a deny, incorrect VLAN or filter ID, or wrong/missing response value data (for instance when a device does not have local RADIUS enabled, the port is not in the Role-Based Access port group, etc).
Both logs can be used to show both the request attributes and the response attributes for the request. Both MAC filter fields allow the debug to be output only for the specified host MAC addresses. This can be helpful to filter out other requests if troubleshooting is occurring on a production system that is actively processing other requests. |