Fortinet black logo

Administration Guide

Home FortiNAC-F 7.4.0 Administration Guide
7.4.0
7.4.0
7.2.0

Configure Local RADIUS Server settings

Configuration

This view is used to configure FortiNAC as the 802.1x EAP termination point.

Note:

  • Requires Server Certificate to be installed for EAP authentication. For installation instructions see Certificate management.
  • FortiNAC can be configured to authenticate RADIUS using either the built-in local RADIUS server, external server(s) or a combination of both. To configure FortiNAC to proxy 802.1x packets to an external RADIUS server for EAP termination, see RADIUS
  • Multiple server configurations is supported.

Field

Description

Service Info

Status

Displays the current server status.

  • Enabled Status: Displays
    • Enabled if the service is configured to run on boot.
    • Disabled if the service is not configured to run on boot
  • Running Status: Displays
    • Running if the service is running
    • Stopped if the service is not running
Toggle Service Status Enable/Disable processing of local RADIUS requests
Details & Logs

Displays the radius service log, the radius specific output of the FNAC server log, and the system journal. The view will tag important failure messages in red, and includes a filter control to both show only lines w/ the specified string (the 'Filter' button), or to color lines containing the specified string (the 'Mark' button), to keep context.

RADIUS Service Details

This view shows FortiNAC server logs (the most recent 3000 lines). Can be used for both Local and Proxy Virtual Server configurations. These logs do not apply to Legacy Proxy configurations.

  • Service Status: Shows additional details of the state of the RADIUS service beyond the status field in the main view
  • Service Log: Shows the debug information for the RADIUS service. The place to start when authentication is not working as expected.

    Note: In most cases, the ‘Service Log Level’ should be set to Normal for the best troubleshooting information.

  • Server Log: FNAC server log. Useful to debug post-auth related problems such as incorrect or missing response values, or a post-auth Deny being returned unexpectedly.
  • Systemd Journal: OS journal output that shows helpful information when the service will not start for some reason (missing / corrupt configuration files, certificates, etc).

  • Network Access: Displays all Access-Requests and the corresponding Access-Accept or Access-Reject, and the attributes in the request/reply or cause for the Access-Reject.

Logs can be filtered using the controls at the top of the view.

  • Filter Button: Shows only lines containing the filter string
  • Mark Button: Shows the full log output but highlights lines containing the filter string in blue for context. This can be used multiple times to highlight additional strings
  • Clear Button: Resets the filter
  • Previous/Next Buttons: Will auto scroll and select matches for the specified filter string
  • Show Flagged Errors Only: Shows only lines that have been flagged in red as common problem.
General Settings
Authentication Port

RADIUS service will listen for authentication requests on the specified port. This is typically port 1812 or 1645.

Note: For Eduroam enabled networks, port 1812 must be used.

Important: If external RADIUS servers are also defined, the authentication port must be set to a different value than the RADIUS proxy ports.

Proxy Accounting

If enabled, the RADIUS service will listen for accounting packets on the specified authentication port +1. As the authentication port is typically 1812 or 1645, this is typically 1813 or 1646. FortiNAC proxies the packets to a customer-owned (external) RADIUS server. In some RADIUS integrations, FortiNAC can also process the accounting packets. Refer to the integration guides in the Document Library for details.

Note: RADIUS accounting is only supported by virtual servers of type "Proxy". It is not supported for Local virtual servers.

Proxy MAB Requests

If enabled, proxy virtual servers will proxy all requests, including MAC authentication Bypass (MAB). When disabled, proxy virtual servers will only proxy 802.1x requests, and will process MAB requests locally.

Activity Monitoring

Enable activity monitoring to track authentication statistics. This exposes a new tab in Network > RADIUS > Activity tab. See Activity.

Alternatively, add the RADIUS widget to a dashboard panel to view current, timeline or historical comparison data.

The timeline and historical comparison views will become useful after activity monitoring has been enabled for some time.

Authentication Failure Events

Enable to generate an event for each authentication failure. This information can be exported using an external log receiver such as FortiSIEM or FortiAnalyzer. Independent of Activity Monitoring, enabling this will only generate the event.

Note: The ‘RADIUS Authentication Failure’ event type must also be configured in the Event Management view to direct failure events to internal logging and/or external log receivers configured in the Log Receivers view.

Legacy Proxy Configuration

Enable to see the legacy Proxy view.

The RADIUS service directly supports the ability to proxy authentication requests and accounting packets to another server by creating a server configuration in the Virtual Servers tab of type 'Proxy'.

In earlier releases, the FortiNAC server itself would listen for and forward RADIUS packets rather than the RADIUS service. When enabled, this is configured via the 'Legacy Proxy' tab. Devices configured to use Legacy Proxy should be updated to use the new proxy functionality, as the Legacy Proxy is deprecated and will be removed in a future release.

Note: Disabling this control will do this automatically using the Virtual Server(s) created during upgrade that match the primary/secondary proxy servers used by Legacy Proxy for that device, as well as monitoring the ports configured in the 'Legacy Proxy' tab for disabled RADS (sic) traffic. If Legacy Proxy Configuration is re-enabled, these devices will need to be manually reconfigured to resume using Legacy Proxy. RELATED INFO: The RFC_Var vendor attribute group is selected by default for devices converted from Legacy Proxy mode, and should be modified manually if this is not the appropriate attribute group for the device.

Security

RADIUS over TLS (RadSec)

Note: Introduced in v7.2.1

Enables a RadSec listener in the RADIUS service that can receive and process secure RadSec communications from devices that support it. The listener is created on the RadSec authentication port.

Valid certificates and keys will need to be configured in the System > Certificate Management view for a connection to be established with the client sending authentication request.

Discard Unencrypted Requests

Determines if standard RADIUS packets will still be processed or if only RadSec packets are processed. If this is enabled, a listener will not be created on the authentication port specified in the General Settings section above Security.

Client Certificate Required

When enabled, RadSec communication may only be established when the supplicant provides a valid client certificate. This will require a valid CA Certificate be uploaded in the System > Certificate Management > Trusted Certificates view. When disabled, RadSec communication may be established with only the server certificate being validated.

RadSec Authentication Port

The RADIUS service will listen on for encrypted authentication requests this port. This is typically port 2083.

Ciphers/Protocols

A secure RadSec channel can only be established when the client and server peers both agree on a common cipher and protocol to use. The connection can only be made when the supplicant supports ciphers and protocol versions specified in this section.

  • Auto Update RadSec Ciphers/Protocols

    If enabled, the supported RadSec ciphers and TLS protocols will be managed by FortiNAC.

  • RadSec Protocol(s)

    If Auto Update RadSec Ciphers/Protocols is disabled, the protocols to user are specified here.

  • RadSec Cipher(s)

    If Auto Update RadSec Ciphers/Protocols is disabled, the ciphers to user are specified here.

Note: If debug is enabled for the RADIUS service, when RadSec is enabled you will see additional listeners indicating FortiNAC is ready to receive and process RadSec requests, noted by the listeners containing “(TLS)”:
Debug & Troubleshooting

Show/hide controls for enabling RADIUS debug. Both RADIUS service and FNAC server debug can be enabled independently. The former is a good starting place for authentication and service startup failures. The latter is useful when authentication succeeds up to the post-auth phase where FNAC does post-auth processing and can diagnose why FNAC returns a deny, incorrect VLAN or filter ID, or wrong/missing response value data (for instance when a device does not have local RADIUS enabled, the port is not in the Role-Based Access port group, etc).

  • Service Log Level: Enables radius service debug. Debug outputs will be displayed in Service Status > Server Log.

    • Service Debug Host MAC Filter (Optional): Scope service debug information to one or more (comma separated) host MAC addresses.

  • FortiNAC Server Log Debug: Enable FortiNAC sercer debug related to local RADIUS access processing. Debug outputs will be displayed in Service Status > Server Log.

    • Include Network Access Policy Debug: Include policy lookup debug to troubleshoot problems matching the proper network access policy. For other post-auth issues, leaving this disabled is recommended for better readability.

    • Service Debug Host MAC Filter (Optional): Scope service debug information to one or more (comma separated) host MAC addresses.

Both logs can be used to show both the request attributes and the response attributes for the request.

Both MAC filter fields allow the debug to be output only for the specified host MAC addresses. This can be helpful to filter out other requests if troubleshooting is occurring on a production system that is actively processing other requests.
Previous
Next

Configuration

This view is used to configure FortiNAC as the 802.1x EAP termination point.

Note:

  • Requires Server Certificate to be installed for EAP authentication. For installation instructions see Certificate management.
  • FortiNAC can be configured to authenticate RADIUS using either the built-in local RADIUS server, external server(s) or a combination of both. To configure FortiNAC to proxy 802.1x packets to an external RADIUS server for EAP termination, see RADIUS
  • Multiple server configurations is supported.

Field

Description

Service Info

Status

Displays the current server status.

  • Enabled Status: Displays
    • Enabled if the service is configured to run on boot.
    • Disabled if the service is not configured to run on boot
  • Running Status: Displays
    • Running if the service is running
    • Stopped if the service is not running
Toggle Service Status Enable/Disable processing of local RADIUS requests
Details & Logs

Displays the radius service log, the radius specific output of the FNAC server log, and the system journal. The view will tag important failure messages in red, and includes a filter control to both show only lines w/ the specified string (the 'Filter' button), or to color lines containing the specified string (the 'Mark' button), to keep context.

RADIUS Service Details

This view shows FortiNAC server logs (the most recent 3000 lines). Can be used for both Local and Proxy Virtual Server configurations. These logs do not apply to Legacy Proxy configurations.

  • Service Status: Shows additional details of the state of the RADIUS service beyond the status field in the main view
  • Service Log: Shows the debug information for the RADIUS service. The place to start when authentication is not working as expected.

    Note: In most cases, the ‘Service Log Level’ should be set to Normal for the best troubleshooting information.

  • Server Log: FNAC server log. Useful to debug post-auth related problems such as incorrect or missing response values, or a post-auth Deny being returned unexpectedly.
  • Systemd Journal: OS journal output that shows helpful information when the service will not start for some reason (missing / corrupt configuration files, certificates, etc).

  • Network Access: Displays all Access-Requests and the corresponding Access-Accept or Access-Reject, and the attributes in the request/reply or cause for the Access-Reject.

Logs can be filtered using the controls at the top of the view.

  • Filter Button: Shows only lines containing the filter string
  • Mark Button: Shows the full log output but highlights lines containing the filter string in blue for context. This can be used multiple times to highlight additional strings
  • Clear Button: Resets the filter
  • Previous/Next Buttons: Will auto scroll and select matches for the specified filter string
  • Show Flagged Errors Only: Shows only lines that have been flagged in red as common problem.
General Settings
Authentication Port

RADIUS service will listen for authentication requests on the specified port. This is typically port 1812 or 1645.

Note: For Eduroam enabled networks, port 1812 must be used.

Important: If external RADIUS servers are also defined, the authentication port must be set to a different value than the RADIUS proxy ports.

Proxy Accounting

If enabled, the RADIUS service will listen for accounting packets on the specified authentication port +1. As the authentication port is typically 1812 or 1645, this is typically 1813 or 1646. FortiNAC proxies the packets to a customer-owned (external) RADIUS server. In some RADIUS integrations, FortiNAC can also process the accounting packets. Refer to the integration guides in the Document Library for details.

Note: RADIUS accounting is only supported by virtual servers of type "Proxy". It is not supported for Local virtual servers.

Proxy MAB Requests

If enabled, proxy virtual servers will proxy all requests, including MAC authentication Bypass (MAB). When disabled, proxy virtual servers will only proxy 802.1x requests, and will process MAB requests locally.

Activity Monitoring

Enable activity monitoring to track authentication statistics. This exposes a new tab in Network > RADIUS > Activity tab. See Activity.

Alternatively, add the RADIUS widget to a dashboard panel to view current, timeline or historical comparison data.

The timeline and historical comparison views will become useful after activity monitoring has been enabled for some time.

Authentication Failure Events

Enable to generate an event for each authentication failure. This information can be exported using an external log receiver such as FortiSIEM or FortiAnalyzer. Independent of Activity Monitoring, enabling this will only generate the event.

Note: The ‘RADIUS Authentication Failure’ event type must also be configured in the Event Management view to direct failure events to internal logging and/or external log receivers configured in the Log Receivers view.

Legacy Proxy Configuration

Enable to see the legacy Proxy view.

The RADIUS service directly supports the ability to proxy authentication requests and accounting packets to another server by creating a server configuration in the Virtual Servers tab of type 'Proxy'.

In earlier releases, the FortiNAC server itself would listen for and forward RADIUS packets rather than the RADIUS service. When enabled, this is configured via the 'Legacy Proxy' tab. Devices configured to use Legacy Proxy should be updated to use the new proxy functionality, as the Legacy Proxy is deprecated and will be removed in a future release.

Note: Disabling this control will do this automatically using the Virtual Server(s) created during upgrade that match the primary/secondary proxy servers used by Legacy Proxy for that device, as well as monitoring the ports configured in the 'Legacy Proxy' tab for disabled RADS (sic) traffic. If Legacy Proxy Configuration is re-enabled, these devices will need to be manually reconfigured to resume using Legacy Proxy. RELATED INFO: The RFC_Var vendor attribute group is selected by default for devices converted from Legacy Proxy mode, and should be modified manually if this is not the appropriate attribute group for the device.

Security

RADIUS over TLS (RadSec)

Note: Introduced in v7.2.1

Enables a RadSec listener in the RADIUS service that can receive and process secure RadSec communications from devices that support it. The listener is created on the RadSec authentication port.

Valid certificates and keys will need to be configured in the System > Certificate Management view for a connection to be established with the client sending authentication request.

Discard Unencrypted Requests

Determines if standard RADIUS packets will still be processed or if only RadSec packets are processed. If this is enabled, a listener will not be created on the authentication port specified in the General Settings section above Security.

Client Certificate Required

When enabled, RadSec communication may only be established when the supplicant provides a valid client certificate. This will require a valid CA Certificate be uploaded in the System > Certificate Management > Trusted Certificates view. When disabled, RadSec communication may be established with only the server certificate being validated.

RadSec Authentication Port

The RADIUS service will listen on for encrypted authentication requests this port. This is typically port 2083.

Ciphers/Protocols

A secure RadSec channel can only be established when the client and server peers both agree on a common cipher and protocol to use. The connection can only be made when the supplicant supports ciphers and protocol versions specified in this section.

  • Auto Update RadSec Ciphers/Protocols

    If enabled, the supported RadSec ciphers and TLS protocols will be managed by FortiNAC.

  • RadSec Protocol(s)

    If Auto Update RadSec Ciphers/Protocols is disabled, the protocols to user are specified here.

  • RadSec Cipher(s)

    If Auto Update RadSec Ciphers/Protocols is disabled, the ciphers to user are specified here.

Note: If debug is enabled for the RADIUS service, when RadSec is enabled you will see additional listeners indicating FortiNAC is ready to receive and process RadSec requests, noted by the listeners containing “(TLS)”:
Debug & Troubleshooting

Show/hide controls for enabling RADIUS debug. Both RADIUS service and FNAC server debug can be enabled independently. The former is a good starting place for authentication and service startup failures. The latter is useful when authentication succeeds up to the post-auth phase where FNAC does post-auth processing and can diagnose why FNAC returns a deny, incorrect VLAN or filter ID, or wrong/missing response value data (for instance when a device does not have local RADIUS enabled, the port is not in the Role-Based Access port group, etc).

  • Service Log Level: Enables radius service debug. Debug outputs will be displayed in Service Status > Server Log.

    • Service Debug Host MAC Filter (Optional): Scope service debug information to one or more (comma separated) host MAC addresses.

  • FortiNAC Server Log Debug: Enable FortiNAC sercer debug related to local RADIUS access processing. Debug outputs will be displayed in Service Status > Server Log.

    • Include Network Access Policy Debug: Include policy lookup debug to troubleshoot problems matching the proper network access policy. For other post-auth issues, leaving this disabled is recommended for better readability.

    • Service Debug Host MAC Filter (Optional): Scope service debug information to one or more (comma separated) host MAC addresses.

Both logs can be used to show both the request attributes and the response attributes for the request.

Both MAC filter fields allow the debug to be output only for the specified host MAC addresses. This can be helpful to filter out other requests if troubleshooting is occurring on a production system that is actively processing other requests.
Previous
Next