Fortinet black logo

Administration Guide

Local RADIUS Server

Copy Link
Copy Doc ID 1ce38eeb-8119-11eb-9995-00505692583a:450544
Download PDF

Local RADIUS Server

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service.

A RADIUS server enables external authentication for users connected to FortiNACmanaged network devices. This type of server is often used in a wireless environment, but also used in wired environments supporting 802.1x authentication.

FortiNAC uses RADIUS authentication for several purposes including:

  • Authenticating users attaching to managed network devices using 802.1x.
  • Authenticating VPN users.
  • Authenticating users accessing FortiNAC's own captive portal process.
  • Authenticating administrators logging onto the FortiNAC system.

As of version 8.8, FortiNAC can be configured to authenticate RADIUS using external RADIUS server(s), the built-in local RADIUS server or a combination of both. There are two RADIUS Authentication modes available for determining how RADIUS requests are processed. These can be configured in FortiNAC on a per-device basis.

Proxy RADIUS Authentication Mode

Enabled by default.

Authentication: FortiNAC processes RADIUS MAC but proxies 802.1x EAP authentication to a customer-owned (external) RADIUS server.

Accounting: FortiNAC proxies accounting traffic to a customer-owned (external) RADIUS server.

For more information, see RADIUS.

Local RADIUS Authentication Mode

Introduced in FortiNAC 8.8 and disabled by default.

Authentication: FortiNAC’s Local RADIUS Server processes RADIUS MAC and 802.1x EAP authentication without the need to proxy to an external RADIUS server.

Accounting: The Local RADIUS server does not provide accounting. If accounting is required, FortiNAC can be configured to proxy Accounting traffic to an external RADIUS server.

EAP

  • Requires Server Certificate to be installed for EAP authentication. For installation instructions see Certificate management.
  • Supported 802.1x EAP methods:
    • TTLS/PAP: Handles authentication requests through
      • LDAP servers defined in FortiNAC
      • RADIUS servers defined in FortiNAC
      • Local Users (including guests) in the FortiNAC database
    • TTLS/MSCHAPv2: Authenticates AD Users only
      • FortiNAC must join the domain
      • Limited to one domain
    • PEAP/MSCHAPv2: Authenticates AD Users only
      • FortiNAC must join the domain
      • Limited to one domain
    • TLS: Authenticates UserPrincipalName SAN User from the certificate
      • Requires the Endpoint Trust Certificate to be installed so FortiNAC can validate the client-side certificate. For installation instructions see Certificate management.

There are several configuration options available:

  • Ability to define the authentication port used.
  • Ability to define TLS Protocol versions and Ciphers for EAP.
  • Ability to control which EAP types are enabled.
  • OCSP verification can be enabled for EAP-TLS client certificates.
  • RADIUS Attribute Groups can be configured to control the RADIUS attributes FortiNAC returns in an Access-Accept. See RADIUS Attribute Groups for details.
  • Winbind can be configured to provide MSCHAPv2 authentication.

The above functionality is configured in the Local RADIUS Server settings view.

For more information on 802.1x network configuration requirements, see 802.1x environments.

Local RADIUS Server

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service.

A RADIUS server enables external authentication for users connected to FortiNACmanaged network devices. This type of server is often used in a wireless environment, but also used in wired environments supporting 802.1x authentication.

FortiNAC uses RADIUS authentication for several purposes including:

  • Authenticating users attaching to managed network devices using 802.1x.
  • Authenticating VPN users.
  • Authenticating users accessing FortiNAC's own captive portal process.
  • Authenticating administrators logging onto the FortiNAC system.

As of version 8.8, FortiNAC can be configured to authenticate RADIUS using external RADIUS server(s), the built-in local RADIUS server or a combination of both. There are two RADIUS Authentication modes available for determining how RADIUS requests are processed. These can be configured in FortiNAC on a per-device basis.

Proxy RADIUS Authentication Mode

Enabled by default.

Authentication: FortiNAC processes RADIUS MAC but proxies 802.1x EAP authentication to a customer-owned (external) RADIUS server.

Accounting: FortiNAC proxies accounting traffic to a customer-owned (external) RADIUS server.

For more information, see RADIUS.

Local RADIUS Authentication Mode

Introduced in FortiNAC 8.8 and disabled by default.

Authentication: FortiNAC’s Local RADIUS Server processes RADIUS MAC and 802.1x EAP authentication without the need to proxy to an external RADIUS server.

Accounting: The Local RADIUS server does not provide accounting. If accounting is required, FortiNAC can be configured to proxy Accounting traffic to an external RADIUS server.

EAP

  • Requires Server Certificate to be installed for EAP authentication. For installation instructions see Certificate management.
  • Supported 802.1x EAP methods:
    • TTLS/PAP: Handles authentication requests through
      • LDAP servers defined in FortiNAC
      • RADIUS servers defined in FortiNAC
      • Local Users (including guests) in the FortiNAC database
    • TTLS/MSCHAPv2: Authenticates AD Users only
      • FortiNAC must join the domain
      • Limited to one domain
    • PEAP/MSCHAPv2: Authenticates AD Users only
      • FortiNAC must join the domain
      • Limited to one domain
    • TLS: Authenticates UserPrincipalName SAN User from the certificate
      • Requires the Endpoint Trust Certificate to be installed so FortiNAC can validate the client-side certificate. For installation instructions see Certificate management.

There are several configuration options available:

  • Ability to define the authentication port used.
  • Ability to define TLS Protocol versions and Ciphers for EAP.
  • Ability to control which EAP types are enabled.
  • OCSP verification can be enabled for EAP-TLS client certificates.
  • RADIUS Attribute Groups can be configured to control the RADIUS attributes FortiNAC returns in an Access-Accept. See RADIUS Attribute Groups for details.
  • Winbind can be configured to provide MSCHAPv2 authentication.

The above functionality is configured in the Local RADIUS Server settings view.

For more information on 802.1x network configuration requirements, see 802.1x environments.