Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Configure Local RADIUS Server Settings

This view is used to configure FortiNAC as the 802.1x EAP termination point. The following functions can be modified:

  • RADIUS Server Service (disabled by default)
  • Authentication ports
  • TLS Protocol versions and Ciphers for EAP
  • EAP types
  • OCSP verification
  • RADIUS Attribute Groups
  • Winbind for MSCHAPv2 authentication

Note:

  • Requires Server Certificate to be installed for EAP authentication. For installation instructions see Certificate management.
  • FortiNAC can be configured to authenticate RADIUS using either the built-in local RADIUS server, external server(s) or a combination of both. To configure FortiNAC to use an external RADIUS server, see RADIUS. To configure FortiNAC to proxy 802.1x packets to an external RADIUS server for EAP termination, see RADIUS.

Configure Local RADIUS Server

  1. Click System > Settings.
  2. Expand the Authentication folder and click Local RADIUS Server. The Local RADIUS Server window displays.
  3. Configure using the table below.
  4. Click Save Settings to apply.

Local RADIUS Server

Field: Enable / Disable Service
Description: Start the RADIUS server service and configure to start on boot.

Field: Service Status:
Description: Click button to display current status:

  • Enabled Status: Displays
    • Enabled if the service is configured to run on boot.
    • Disabled if the service is not configured to run on boot
  • Running Status: Displays
    • Running if the service is running
    • Stopped if the service is not running
  • Service Status: Displays full details of the service status.
    • Warnings such as ‘Unknown lvalue ‘xxxxxx’ in section ‘yyyyyy’ can be ignored.

Field: Authentication Port
Description: Configure the authentication port for the Local RADIUS Server.

Default: Disabled, 1645

Important: If external RADIUS servers are also defined, the authentication port must be set to a different value than the RADIUS proxy ports.

Field: TLS Service Configuration
Description: Allows configuration of TLS Protocol versions and Ciphers for EAP in the Local RADIUS Server. Add or Modify using the icons.

Name: Unique name used to identify the configuration.

Cerificate Alias: Select the Certificate to use when securing communication. Certificates may be uploaded using the Certificate Management view.

Automatically Update Ciphers And Protocols on Upgrade: If true, the settings for both Ciphers and TLS Protocols will become managed by FortiNAC. Upon upgrade, the system will automatically configure the TLS Service Configuration to the latest recommended Ciphers and Protocols.

Ciphers: The Cipher Suite to use when encoding messages using TLS. At least one Cipher must be selected. Ciphers must be supported by both client and server, so disabling Ciphers may prevent some Persistent Agents from communicating.

TLS Protocols: The list of TLS Protocols to allow by the server. At least one TLS Protocol must be selected. TLS Protocols must be supported by both client and server, so disabling Protocols may prevent some Persistent Agents from communicating.

Field: Supported EAP Types
Description: Allows configuration of which EAP types are enabled. The field displays the EAP Types currently enabled. Click the drill down menu to view the available types. Click on a specific type to either enable or disable:

TLS - Requires the Endpoint Trust Certificate to be installed. For installation instructions see Certificate management

TTLS

PEAP

LEAP

MD5

GTC

MSCHAPV2

Field: Enable OCSP
Description: If enabled, EAP-TLS client certificates will have OCSP verification performed, using the URL embedded in the client certificate.

RADIUS Attribute Groups

Allows administrators to control the RADIUS attributes FortiNAC returns in an Access-Accept.

Add RADIUS Attribute Group

  1. Click Add
  2. Use the filter to narrow down the list of attributes in the left pane, and select them by clicking the arrow icons to push them into the right pane.
  3. Set the value by clicking the value box on the right pane.
  4. Setting to %ACCESS_VALUE% will insert the Access Value into the attribute when returned.

If the attribute required does not exist in FortiNAC’s database, it can be added.

Add RADIUS Attribute

  1. Click Add
  2. Define the following:
    Name
    Type: Select the appropriate option from the drill-down list.
    Value
    Vendor
    Vendor ID
    Format
    Has Tag:
    Encryption method: Select the appropriate option from the drill-down list.
  3. Click OK to save.
  4. To modify an attribute added, click Modify.
    Note: Pre-loaded attributes may not be edited.
  5. To delete an attribute, select Delete.

Once RADIUS Attribute Groups are defined, select the groups to be used for each device within its Model or Global Model Configuration view. See Model configuration for additional information.

Local Windbind Configuration

Winbind is used to provide MSCHAPv2 authentication only. If using a different scheme, such as EAP-TTLS/PAP or EAP-TLS, configuration is not required.

Field: Enable / Disable Service
Description: Start the Winbind service and configure to start on boot.

Field: Service Status
Description:

  • Enabled Status: Displays
    • Enabled if the service is configured to run on boot.
    • Disabled if the service is not configured to run on boot
  • Running Status: Displays
    • Running if the service is running
    • Stopped if the service is not running
  • Winbind Domain: Displays
    • Not Joined if FortiNAC is not joined to any Active Directory through winbind
    • Joined if FortiNAC is joined to the domain
  • Domain Information: Displays the detailed information of the joined status of FortiNAC.
    • This information may still show the previous join information if FortiNAC is no longer joined to the domain. In this case, the Winbind Domain will display “Not Joined” and the “Last Machine account password changed” date will show 1969 or 1970.
  • Service Status: Displays full details of the service status.
    • Warnings such as ‘Unknown value ‘xxxxxx’ in section ‘yyyyyy’ can be ignored.

Field: Domain NetBIOS Name
Description: NetBIOS name of your domain. Example: “EXAMPLE”

Field: Kerberos Realm Name
Description: The DNS-style domain name. Example: “example.com”

Field: Domain Controller Hostname
Description: The name or address of the Active Directory domain controller to use to authenticate. Example: “dc01.example.com”

Field: Log Level
Description: The log level for the Winbind service. Recommended value is “none”.

Field: Join Domain
Description: In order for Winbind authentication to work, FortiNAC must be joined to the domain. Configure the credentials for the account FortiNAC will use to join.

Username: User name FortiNAC uses to join the domain. Examples: trusted_user or trusted_user@example.com
Password: Password FortiNAC uses to join the domain

Configure Local RADIUS Server Settings

This view is used to configure FortiNAC as the 802.1x EAP termination point. The following functions can be modified:

  • RADIUS Server Service (disabled by default)
  • Authentication ports
  • TLS Protocol versions and Ciphers for EAP
  • EAP types
  • OCSP verification
  • RADIUS Attribute Groups
  • Winbind for MSCHAPv2 authentication

Note:

  • Requires Server Certificate to be installed for EAP authentication. For installation instructions see Certificate management.
  • FortiNAC can be configured to authenticate RADIUS using either the built-in local RADIUS server, external server(s) or a combination of both. To configure FortiNAC to use an external RADIUS server, see RADIUS. To configure FortiNAC to proxy 802.1x packets to an external RADIUS server for EAP termination, see RADIUS.

Configure Local RADIUS Server

  1. Click System > Settings.
  2. Expand the Authentication folder and click Local RADIUS Server. The Local RADIUS Server window displays.
  3. Configure using the table below.
  4. Click Save Settings to apply.

Local RADIUS Server

Field: Enable / Disable Service
Description: Start the RADIUS server service and configure to start on boot.

Field: Service Status:
Description: Click button to display current status:

  • Enabled Status: Displays
    • Enabled if the service is configured to run on boot.
    • Disabled if the service is not configured to run on boot
  • Running Status: Displays
    • Running if the service is running
    • Stopped if the service is not running
  • Service Status: Displays full details of the service status.
    • Warnings such as ‘Unknown lvalue ‘xxxxxx’ in section ‘yyyyyy’ can be ignored.

Field: Authentication Port
Description: Configure the authentication port for the Local RADIUS Server.

Default: Disabled, 1645

Important: If external RADIUS servers are also defined, the authentication port must be set to a different value than the RADIUS proxy ports.

Field: TLS Service Configuration
Description: Allows configuration of TLS Protocol versions and Ciphers for EAP in the Local RADIUS Server. Add or Modify using the icons.

Name: Unique name used to identify the configuration.

Cerificate Alias: Select the Certificate to use when securing communication. Certificates may be uploaded using the Certificate Management view.

Automatically Update Ciphers And Protocols on Upgrade: If true, the settings for both Ciphers and TLS Protocols will become managed by FortiNAC. Upon upgrade, the system will automatically configure the TLS Service Configuration to the latest recommended Ciphers and Protocols.

Ciphers: The Cipher Suite to use when encoding messages using TLS. At least one Cipher must be selected. Ciphers must be supported by both client and server, so disabling Ciphers may prevent some Persistent Agents from communicating.

TLS Protocols: The list of TLS Protocols to allow by the server. At least one TLS Protocol must be selected. TLS Protocols must be supported by both client and server, so disabling Protocols may prevent some Persistent Agents from communicating.

Field: Supported EAP Types
Description: Allows configuration of which EAP types are enabled. The field displays the EAP Types currently enabled. Click the drill down menu to view the available types. Click on a specific type to either enable or disable:

TLS - Requires the Endpoint Trust Certificate to be installed. For installation instructions see Certificate management

TTLS

PEAP

LEAP

MD5

GTC

MSCHAPV2

Field: Enable OCSP
Description: If enabled, EAP-TLS client certificates will have OCSP verification performed, using the URL embedded in the client certificate.

RADIUS Attribute Groups

Allows administrators to control the RADIUS attributes FortiNAC returns in an Access-Accept.

Add RADIUS Attribute Group

  1. Click Add
  2. Use the filter to narrow down the list of attributes in the left pane, and select them by clicking the arrow icons to push them into the right pane.
  3. Set the value by clicking the value box on the right pane.
  4. Setting to %ACCESS_VALUE% will insert the Access Value into the attribute when returned.

If the attribute required does not exist in FortiNAC’s database, it can be added.

Add RADIUS Attribute

  1. Click Add
  2. Define the following:
    Name
    Type: Select the appropriate option from the drill-down list.
    Value
    Vendor
    Vendor ID
    Format
    Has Tag:
    Encryption method: Select the appropriate option from the drill-down list.
  3. Click OK to save.
  4. To modify an attribute added, click Modify.
    Note: Pre-loaded attributes may not be edited.
  5. To delete an attribute, select Delete.

Once RADIUS Attribute Groups are defined, select the groups to be used for each device within its Model or Global Model Configuration view. See Model configuration for additional information.

Local Windbind Configuration

Winbind is used to provide MSCHAPv2 authentication only. If using a different scheme, such as EAP-TTLS/PAP or EAP-TLS, configuration is not required.

Field: Enable / Disable Service
Description: Start the Winbind service and configure to start on boot.

Field: Service Status
Description:

  • Enabled Status: Displays
    • Enabled if the service is configured to run on boot.
    • Disabled if the service is not configured to run on boot
  • Running Status: Displays
    • Running if the service is running
    • Stopped if the service is not running
  • Winbind Domain: Displays
    • Not Joined if FortiNAC is not joined to any Active Directory through winbind
    • Joined if FortiNAC is joined to the domain
  • Domain Information: Displays the detailed information of the joined status of FortiNAC.
    • This information may still show the previous join information if FortiNAC is no longer joined to the domain. In this case, the Winbind Domain will display “Not Joined” and the “Last Machine account password changed” date will show 1969 or 1970.
  • Service Status: Displays full details of the service status.
    • Warnings such as ‘Unknown value ‘xxxxxx’ in section ‘yyyyyy’ can be ignored.

Field: Domain NetBIOS Name
Description: NetBIOS name of your domain. Example: “EXAMPLE”

Field: Kerberos Realm Name
Description: The DNS-style domain name. Example: “example.com”

Field: Domain Controller Hostname
Description: The name or address of the Active Directory domain controller to use to authenticate. Example: “dc01.example.com”

Field: Log Level
Description: The log level for the Winbind service. Recommended value is “none”.

Field: Join Domain
Description: In order for Winbind authentication to work, FortiNAC must be joined to the domain. Configure the credentials for the account FortiNAC will use to join.

Username: User name FortiNAC uses to join the domain. Examples: trusted_user or trusted_user@example.com
Password: Password FortiNAC uses to join the domain