Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

RADIUS

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service.

A RADIUS server enables external authentication for users connected to FortiNACmanaged network devices. This type of server is often used in a wireless environment, but also used in wired environments supporting 802.1x authentication.

FortiNAC uses RADIUS authentication for several purposes including:

  • Authenticating users attaching to managed network devices using 802.1x.
  • Authenticating VPN users.
  • Authenticating users accessing FortiNAC's own captive portal process.
  • Authenticating administrators logging onto the FortiNAC system.

As of version 8.8, FortiNAC can be configured to authenticate RADIUS using external RADIUS server(s), the built-in local RADIUS server or a combination of both. There are two RADIUS Authentication modes available for determining how RADIUS requests are processed. These can be configured in FortiNAC on a per-device basis.

Proxy RADIUS Authentication Mode

Enabled by default.

Authentication: FortiNAC processes RADIUS MAC but proxies 802.1x EAP authentication to a customer-owned (external) RADIUS server.

Accounting: FortiNAC proxies accounting traffic to a customer-owned (external) RADIUS server.

FortiNAC works with all the known RADIUS server products, including FreeRADIUS, Steel Belted RADIUS, Microsoft IAS, Cisco ACS, and RADIATOR. To support these uses, RADIUS server profiles must be created in FortiNAC, which can then be assigned as the authentication method for the FortiNAC system or a specific device.

You can create an unlimited number of RADIUS server profiles. Several configuration options are available:

  • System-wide: Default primary and secondary profiles assigned at the system level are used for both captive portal and administrator authentication.
  • In an 802.1x environment:
    • Profiles can be assigned for each individual device.
    • Profiles can be assigned for individual SSIDs.
    • Profiles can be mapped to domains. User names contain a domain name prefix of the user logging onto the network.
    • Profiles can be mapped to a blank domain which would encompass any authenticating user who does not have a domain name prefix as part of his user name.

Local RADIUS Authentication Mode

Introduced in FortiNAC 8.8 and disabled by default.

Authentication: FortiNAC’s Local RADIUS Server processes RADIUS MAC and 802.1x EAP authentication without the need to proxy to an external RADIUS server.

Accounting: The Local RADIUS server does not provide accounting. If accounting is required, FortiNAC can be configured to proxy Accounting traffic to an external RADIUS server.

FortiNAC processes both RADIUS MAC and 802.1x EAP authentication locally and does not require an external RADIUS server.

Supported 802.1x EAP modes:

  • TTLS/PAP
  • TTLS/MSCHAPv2
  • PEAP/MSCHAPv2
  • TLS

For more information, see Local RADIUS Server.

RADIUS

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service.

A RADIUS server enables external authentication for users connected to FortiNACmanaged network devices. This type of server is often used in a wireless environment, but also used in wired environments supporting 802.1x authentication.

FortiNAC uses RADIUS authentication for several purposes including:

  • Authenticating users attaching to managed network devices using 802.1x.
  • Authenticating VPN users.
  • Authenticating users accessing FortiNAC's own captive portal process.
  • Authenticating administrators logging onto the FortiNAC system.

As of version 8.8, FortiNAC can be configured to authenticate RADIUS using external RADIUS server(s), the built-in local RADIUS server or a combination of both. There are two RADIUS Authentication modes available for determining how RADIUS requests are processed. These can be configured in FortiNAC on a per-device basis.

Proxy RADIUS Authentication Mode

Enabled by default.

Authentication: FortiNAC processes RADIUS MAC but proxies 802.1x EAP authentication to a customer-owned (external) RADIUS server.

Accounting: FortiNAC proxies accounting traffic to a customer-owned (external) RADIUS server.

FortiNAC works with all the known RADIUS server products, including FreeRADIUS, Steel Belted RADIUS, Microsoft IAS, Cisco ACS, and RADIATOR. To support these uses, RADIUS server profiles must be created in FortiNAC, which can then be assigned as the authentication method for the FortiNAC system or a specific device.

You can create an unlimited number of RADIUS server profiles. Several configuration options are available:

  • System-wide: Default primary and secondary profiles assigned at the system level are used for both captive portal and administrator authentication.
  • In an 802.1x environment:
    • Profiles can be assigned for each individual device.
    • Profiles can be assigned for individual SSIDs.
    • Profiles can be mapped to domains. User names contain a domain name prefix of the user logging onto the network.
    • Profiles can be mapped to a blank domain which would encompass any authenticating user who does not have a domain name prefix as part of his user name.

Local RADIUS Authentication Mode

Introduced in FortiNAC 8.8 and disabled by default.

Authentication: FortiNAC’s Local RADIUS Server processes RADIUS MAC and 802.1x EAP authentication without the need to proxy to an external RADIUS server.

Accounting: The Local RADIUS server does not provide accounting. If accounting is required, FortiNAC can be configured to proxy Accounting traffic to an external RADIUS server.

FortiNAC processes both RADIUS MAC and 802.1x EAP authentication locally and does not require an external RADIUS server.

Supported 802.1x EAP modes:

  • TTLS/PAP
  • TTLS/MSCHAPv2
  • PEAP/MSCHAPv2
  • TLS

For more information, see Local RADIUS Server.