Fortinet black logo

Administration Guide

Configure Local RADIUS Server settings

Copy Link
Copy Doc ID 1ce38eeb-8119-11eb-9995-00505692583a:366458
Download PDF

Configure Local RADIUS Server Settings

This view is used to configure FortiNAC as the 802.1x EAP termination point. The following functions can be modified:

  • RADIUS Server Service (disabled by default)
  • Authentication ports
  • TLS Protocol versions and Ciphers for EAP
  • EAP types
  • OCSP verification
  • RADIUS Attribute Groups
  • Winbind for MSCHAPv2 authentication

Note:

  • Requires Server Certificate to be installed for EAP authentication. For installation instructions see Certificate management.
  • FortiNAC can be configured to authenticate RADIUS using either the built-in local RADIUS server, external server(s) or a combination of both. To configure FortiNAC to use an external RADIUS server, see RADIUS. To configure FortiNAC to proxy 802.1x packets to an external RADIUS server for EAP termination, see RADIUS.

Configure Local RADIUS Server

  1. Click Network > Settings > Local RADIUS Server
  2. Configure using the table below.
  3. Click Save Settings to apply.

Local RADIUS Server

Field: Enable / Disable Service
Description: Start the RADIUS server service and configure to start on boot.

Field: Service Status:
Description: Click button to display current status. This feature can also displays the radius service log, the radius specific output of the FNAC server log, and the system journal. The view will tag important failure messages in red, and includes a filter control to both show only lines w/ the specified string (the 'Filter' button), or to color lines containing the specified string (the 'Mark' button), to keep context.

  • Enabled Status: Displays
    • Enabled if the service is configured to run on boot.
    • Disabled if the service is not configured to run on boot
  • Running Status: Displays
    • Running if the service is running
    • Stopped if the service is not running
  • Service Status: Displays full details of the service status.
    • Warnings such as ‘Unknown lvalue ‘xxxxxx’ in section ‘yyyyyy’ can be ignored.
  • Service Log: Displays the RADIUS service log
  • Server Log: Displays the RADIUS specific output of the FNAC server log
  • System Journal: Displays the debug outputs related to starting and managing system services leveraged for running RADIUS.

Field: Authentication Port
Description: Configure the authentication port for the Local RADIUS Server.

Default: Disabled, 1645

Important: If external RADIUS servers are also defined, the authentication port must be set to a different value than the RADIUS proxy ports.

Field: TLS Service Configuration
Description: Allows configuration of TLS Protocol versions and Ciphers for EAP in the Local RADIUS Server. Add or Modify using the icons.

Name: Unique name used to identify the configuration.

Cerificate Alias: Select the Certificate to use when securing communication. Certificates may be uploaded using the Certificate Management view.

Automatically Update Ciphers And Protocols on Upgrade: If true, the settings for both Ciphers and TLS Protocols will become managed by FortiNAC. Upon upgrade, the system will automatically configure the TLS Service Configuration to the latest recommended Ciphers and Protocols.

Ciphers: The Cipher Suite to use when encoding messages using TLS. At least one Cipher must be selected. Ciphers must be supported by both client and server, so disabling Ciphers may prevent some Persistent Agents from communicating.

TLS Protocols: The list of TLS Protocols to allow by the server. At least one TLS Protocol must be selected. TLS Protocols must be supported by both client and server, so disabling Protocols may prevent some Persistent Agents from communicating.

Field: Supported EAP Types
Description: Allows configuration of which EAP types are enabled. The field displays the EAP Types currently enabled. Click the drill down menu to view the available types. Click on a specific type to either enable or disable:

TLS - Requires the Endpoint Trust Certificate to be installed. For installation instructions see Certificate management

TTLS

PEAP

LEAP

MD5

GTC

MSCHAPV2

Field: Enable OCSP
Description: If enabled, EAP-TLS client certificates will have OCSP verification performed, using the URL embedded in the client certificate.

Local RADIUS Server Debugging

Enables debug for both the radius service and radius related log messages on the FNAC server. Enabling these settings will output the logs into Service Status.

Enabling Server Debugging

  1. Select the log level from the Service Log Level drop down: None, Low, Normal, or Verbose
  2. (Optional) Enter a MAC filter into Service Debug Host MAC Filter to scope the debug output for the specified MAC addresses (comma separated)
  3. Select an option from the drop down to disable or enable FortiNAC Server Log Debug
  4. (Optional) Enter a MAC filter into Service Debug Host MAC Filter to scope the debug output for the specified MAC addresses (comma separated)

RADIUS Attribute Groups

Allows administrators to control the RADIUS attributes FortiNAC returns in an Access-Accept. Each of these can be optionally scoped so debug output is only generated for 1 or more specified MAC addresses (comma separated).

Important: Inbound RADIUS request must contain Calling-Station-Id. This attribute is required in order to properly process logical network information. RADIUS attributes will not be returned if Calling-Station-Id is not in the associated request.

Add RADIUS Attribute Group

  1. Click Add
  2. Use the filter to narrow down the list of attributes in the left pane, and select them by clicking the arrow icons to push them into the right pane.
  3. Set the value by clicking the value box on the right pane.
  4. Setting to %ACCESS_VALUE% will insert the Access Value into the attribute when returned.

If the attribute required does not exist in FortiNAC’s database, it can be added.

Add RADIUS Attribute

  1. Click Add
  2. Define the following:
    Name
    Type: Select the appropriate option from the drill-down list.
    Value
    Vendor
    Vendor ID
    Format
    Has Tag:
    Encryption method: Select the appropriate option from the drill-down list.
  3. Click OK to save.
  4. To modify an attribute added, click Modify.
    Note: Pre-loaded attributes may not be edited.
  5. To delete an attribute, select Delete.

Once RADIUS Attribute Groups are defined, select the groups to be used for each device within its Model or Global Model Configuration view. See Model configuration for additional information.

Local Winbind Configuration

Winbind is used to provide MSCHAPv2 authentication only. If using a different scheme, such as EAP-TTLS/PAP or EAP-TLS, configuration is not required.

Field: Enable / Disable Service
Description: Start the Winbind service and configure to start on boot.
Note: FortiNAC must be joined to the domain before starting the Winbind service.

Field: Service Status
Description:

  • Enabled Status: Displays
    • Enabled if the service is configured to run on boot.
    • Disabled if the service is not configured to run on boot
  • Running Status: Displays
    • Running if the service is running
    • Stopped if the service is not running
  • Winbind Domain: Displays
    • Not Joined if FortiNAC is not joined to any Active Directory through winbind
    • Joined if FortiNAC is joined to the domain
  • Domain Information: Displays the detailed information of the joined status of FortiNAC.
    • This information may still show the previous join information if FortiNAC is no longer joined to the domain. In this case, the Winbind Domain will display “Not Joined” and the “Last Machine account password changed” date will show 1969 or 1970.
  • Service Status: Displays full details of the service status.
    • Warnings such as ‘Unknown value ‘xxxxxx’ in section ‘yyyyyy’ can be ignored.

Field: Domain Controller Hostname
Description: The name or address of the Active Directory domain controller to use to authenticate.
Example: “dc01.example.com”

Field: Local NetBIOS Name
Description: NetBIOS name by which the FortiNAC Samba server is known. For High Availability configurations, this is the primary FortiNAC Samba server.

Example: FortiNAC FQDN = hostname.corp.example.com, Local NetBIOS Name = "HOSTNAME". Note: the maximum length for a NetBIOS name is 15 characters.

Field: Domain NetBIOS Name
Description: NetBIOS name of your domain. This is the subdomain of the DNS domain name.
Examples:
Domain Controller Hostname = dc01.example.com, Domain NetBIOS Name = "EXAMPLE"
Domain Controller Hostname = dc01.corp.example.com, Domain NetBIOS Name = "CORP"

Field: Kerberos Realm Name
Description: The DNS-style domain name.
Example: “example.com”

Field: Log Level
Description: The log level for the Winbind service. Recommended value is “none”.

Field: Join Domain
Description: In order for Winbind authentication to work, FortiNAC must be joined to the domain. Configure the credentials for the account FortiNAC will use to join.

Username: User name FortiNAC uses to join the domain. Examples: trusted_user or trusted_user@example.com
Password: Password FortiNAC uses to join the domain

Configure Local RADIUS Server Settings

This view is used to configure FortiNAC as the 802.1x EAP termination point. The following functions can be modified:

  • RADIUS Server Service (disabled by default)
  • Authentication ports
  • TLS Protocol versions and Ciphers for EAP
  • EAP types
  • OCSP verification
  • RADIUS Attribute Groups
  • Winbind for MSCHAPv2 authentication

Note:

  • Requires Server Certificate to be installed for EAP authentication. For installation instructions see Certificate management.
  • FortiNAC can be configured to authenticate RADIUS using either the built-in local RADIUS server, external server(s) or a combination of both. To configure FortiNAC to use an external RADIUS server, see RADIUS. To configure FortiNAC to proxy 802.1x packets to an external RADIUS server for EAP termination, see RADIUS.

Configure Local RADIUS Server

  1. Click Network > Settings > Local RADIUS Server
  2. Configure using the table below.
  3. Click Save Settings to apply.

Local RADIUS Server

Field: Enable / Disable Service
Description: Start the RADIUS server service and configure to start on boot.

Field: Service Status:
Description: Click button to display current status. This feature can also displays the radius service log, the radius specific output of the FNAC server log, and the system journal. The view will tag important failure messages in red, and includes a filter control to both show only lines w/ the specified string (the 'Filter' button), or to color lines containing the specified string (the 'Mark' button), to keep context.

  • Enabled Status: Displays
    • Enabled if the service is configured to run on boot.
    • Disabled if the service is not configured to run on boot
  • Running Status: Displays
    • Running if the service is running
    • Stopped if the service is not running
  • Service Status: Displays full details of the service status.
    • Warnings such as ‘Unknown lvalue ‘xxxxxx’ in section ‘yyyyyy’ can be ignored.
  • Service Log: Displays the RADIUS service log
  • Server Log: Displays the RADIUS specific output of the FNAC server log
  • System Journal: Displays the debug outputs related to starting and managing system services leveraged for running RADIUS.

Field: Authentication Port
Description: Configure the authentication port for the Local RADIUS Server.

Default: Disabled, 1645

Important: If external RADIUS servers are also defined, the authentication port must be set to a different value than the RADIUS proxy ports.

Field: TLS Service Configuration
Description: Allows configuration of TLS Protocol versions and Ciphers for EAP in the Local RADIUS Server. Add or Modify using the icons.

Name: Unique name used to identify the configuration.

Cerificate Alias: Select the Certificate to use when securing communication. Certificates may be uploaded using the Certificate Management view.

Automatically Update Ciphers And Protocols on Upgrade: If true, the settings for both Ciphers and TLS Protocols will become managed by FortiNAC. Upon upgrade, the system will automatically configure the TLS Service Configuration to the latest recommended Ciphers and Protocols.

Ciphers: The Cipher Suite to use when encoding messages using TLS. At least one Cipher must be selected. Ciphers must be supported by both client and server, so disabling Ciphers may prevent some Persistent Agents from communicating.

TLS Protocols: The list of TLS Protocols to allow by the server. At least one TLS Protocol must be selected. TLS Protocols must be supported by both client and server, so disabling Protocols may prevent some Persistent Agents from communicating.

Field: Supported EAP Types
Description: Allows configuration of which EAP types are enabled. The field displays the EAP Types currently enabled. Click the drill down menu to view the available types. Click on a specific type to either enable or disable:

TLS - Requires the Endpoint Trust Certificate to be installed. For installation instructions see Certificate management

TTLS

PEAP

LEAP

MD5

GTC

MSCHAPV2

Field: Enable OCSP
Description: If enabled, EAP-TLS client certificates will have OCSP verification performed, using the URL embedded in the client certificate.

Local RADIUS Server Debugging

Enables debug for both the radius service and radius related log messages on the FNAC server. Enabling these settings will output the logs into Service Status.

Enabling Server Debugging

  1. Select the log level from the Service Log Level drop down: None, Low, Normal, or Verbose
  2. (Optional) Enter a MAC filter into Service Debug Host MAC Filter to scope the debug output for the specified MAC addresses (comma separated)
  3. Select an option from the drop down to disable or enable FortiNAC Server Log Debug
  4. (Optional) Enter a MAC filter into Service Debug Host MAC Filter to scope the debug output for the specified MAC addresses (comma separated)

RADIUS Attribute Groups

Allows administrators to control the RADIUS attributes FortiNAC returns in an Access-Accept. Each of these can be optionally scoped so debug output is only generated for 1 or more specified MAC addresses (comma separated).

Important: Inbound RADIUS request must contain Calling-Station-Id. This attribute is required in order to properly process logical network information. RADIUS attributes will not be returned if Calling-Station-Id is not in the associated request.

Add RADIUS Attribute Group

  1. Click Add
  2. Use the filter to narrow down the list of attributes in the left pane, and select them by clicking the arrow icons to push them into the right pane.
  3. Set the value by clicking the value box on the right pane.
  4. Setting to %ACCESS_VALUE% will insert the Access Value into the attribute when returned.

If the attribute required does not exist in FortiNAC’s database, it can be added.

Add RADIUS Attribute

  1. Click Add
  2. Define the following:
    Name
    Type: Select the appropriate option from the drill-down list.
    Value
    Vendor
    Vendor ID
    Format
    Has Tag:
    Encryption method: Select the appropriate option from the drill-down list.
  3. Click OK to save.
  4. To modify an attribute added, click Modify.
    Note: Pre-loaded attributes may not be edited.
  5. To delete an attribute, select Delete.

Once RADIUS Attribute Groups are defined, select the groups to be used for each device within its Model or Global Model Configuration view. See Model configuration for additional information.

Local Winbind Configuration

Winbind is used to provide MSCHAPv2 authentication only. If using a different scheme, such as EAP-TTLS/PAP or EAP-TLS, configuration is not required.

Field: Enable / Disable Service
Description: Start the Winbind service and configure to start on boot.
Note: FortiNAC must be joined to the domain before starting the Winbind service.

Field: Service Status
Description:

  • Enabled Status: Displays
    • Enabled if the service is configured to run on boot.
    • Disabled if the service is not configured to run on boot
  • Running Status: Displays
    • Running if the service is running
    • Stopped if the service is not running
  • Winbind Domain: Displays
    • Not Joined if FortiNAC is not joined to any Active Directory through winbind
    • Joined if FortiNAC is joined to the domain
  • Domain Information: Displays the detailed information of the joined status of FortiNAC.
    • This information may still show the previous join information if FortiNAC is no longer joined to the domain. In this case, the Winbind Domain will display “Not Joined” and the “Last Machine account password changed” date will show 1969 or 1970.
  • Service Status: Displays full details of the service status.
    • Warnings such as ‘Unknown value ‘xxxxxx’ in section ‘yyyyyy’ can be ignored.

Field: Domain Controller Hostname
Description: The name or address of the Active Directory domain controller to use to authenticate.
Example: “dc01.example.com”

Field: Local NetBIOS Name
Description: NetBIOS name by which the FortiNAC Samba server is known. For High Availability configurations, this is the primary FortiNAC Samba server.

Example: FortiNAC FQDN = hostname.corp.example.com, Local NetBIOS Name = "HOSTNAME". Note: the maximum length for a NetBIOS name is 15 characters.

Field: Domain NetBIOS Name
Description: NetBIOS name of your domain. This is the subdomain of the DNS domain name.
Examples:
Domain Controller Hostname = dc01.example.com, Domain NetBIOS Name = "EXAMPLE"
Domain Controller Hostname = dc01.corp.example.com, Domain NetBIOS Name = "CORP"

Field: Kerberos Realm Name
Description: The DNS-style domain name.
Example: “example.com”

Field: Log Level
Description: The log level for the Winbind service. Recommended value is “none”.

Field: Join Domain
Description: In order for Winbind authentication to work, FortiNAC must be joined to the domain. Configure the credentials for the account FortiNAC will use to join.

Username: User name FortiNAC uses to join the domain. Examples: trusted_user or trusted_user@example.com
Password: Password FortiNAC uses to join the domain