Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Order of precedence

When one or more RADIUS servers are used for authentication coupled with different methods of configuration, it can be difficult to determine which server will be used. The uses for RADIUS servers are as follows:

  • Authenticating FortiNAC administrators.
  • Authenticating network users accessing the network through a VPN.
  • Authenticating network users who come in through the captive portal.
  • Devices that have no RADIUS servers configured in the model configuration.
  • Devices that have specific RADIUS servers configured in the model configuration.
  • SSIDs that have no RADIUS servers configured and inherit from the parent device.
  • SSIDs that have specific RADIUS servers configured.

Unless a specific RADIUS server is configured for a particular device or SSID, these options use the default primary and secondary RADIUS servers. However, if RADIUS server profiles are mapped to domains and the authenticating user's username contains a domain name prefix, then the RADIUS server mapped to the domain takes precedence. The order of precedence to determine which RADIUS server is used is as follows:

  1. If domain mappings exist and an entry matches the domain prefix contained within the user name of a connecting user, then the RADIUS server mapped to the domain is used. Multiple servers can be mapped to a single domain. If the user is not found on the first RADIUS server in the list, FortiNAC checks each server mapped to the domain in turn until the user is found.
  2. If a blank domain has been mapped and an authenticating user does not have a domain prefix in the user name, then the server or servers mapped to the blank domain are used.

    If you create a domain mapping for a RADIUS server with a blank domain name this always takes precedence over the default primary and secondary RADIUS servers because all users who do not use domain name to log in will match this mapping.

  3. If no domain mappings exist, the RADIUS server profile chosen for the originating SSID is used.
  4. If no SSID mapping exists, the RADIUS server profile chosen for the originating device is used.
  5. If no device specific server selection exists, the system-wide default primary and secondary server settings are used.

Order of precedence

When one or more RADIUS servers are used for authentication coupled with different methods of configuration, it can be difficult to determine which server will be used. The uses for RADIUS servers are as follows:

  • Authenticating FortiNAC administrators.
  • Authenticating network users accessing the network through a VPN.
  • Authenticating network users who come in through the captive portal.
  • Devices that have no RADIUS servers configured in the model configuration.
  • Devices that have specific RADIUS servers configured in the model configuration.
  • SSIDs that have no RADIUS servers configured and inherit from the parent device.
  • SSIDs that have specific RADIUS servers configured.

Unless a specific RADIUS server is configured for a particular device or SSID, these options use the default primary and secondary RADIUS servers. However, if RADIUS server profiles are mapped to domains and the authenticating user's username contains a domain name prefix, then the RADIUS server mapped to the domain takes precedence. The order of precedence to determine which RADIUS server is used is as follows:

  1. If domain mappings exist and an entry matches the domain prefix contained within the user name of a connecting user, then the RADIUS server mapped to the domain is used. Multiple servers can be mapped to a single domain. If the user is not found on the first RADIUS server in the list, FortiNAC checks each server mapped to the domain in turn until the user is found.
  2. If a blank domain has been mapped and an authenticating user does not have a domain prefix in the user name, then the server or servers mapped to the blank domain are used.

    If you create a domain mapping for a RADIUS server with a blank domain name this always takes precedence over the default primary and secondary RADIUS servers because all users who do not use domain name to log in will match this mapping.

  3. If no domain mappings exist, the RADIUS server profile chosen for the originating SSID is used.
  4. If no SSID mapping exists, the RADIUS server profile chosen for the originating device is used.
  5. If no device specific server selection exists, the system-wide default primary and secondary server settings are used.