This view is used to configure FortiNAC as the 802.1x EAP termination point. The following functions can be modified:
- RADIUS Server Service (disabled by default)
- Authentication ports
- TLS Protocol versions and Ciphers for EAP
- EAP types
- OCSP verification
- RADIUS Attribute Groups
- Winbind for MSCHAPv2 authentication
- RADIUS Service Status
- RADIUS Debug and Troubleshooting
- Requires Server Certificate to be installed for EAP authentication. For installation instructions see Certificate management.
- FortiNAC can be configured to authenticate RADIUS using either the built-in local RADIUS server, external server(s) or a combination of both. To configure FortiNAC to use an external RADIUS server, see RADIUS. To configure FortiNAC to proxy 802.1x packets to an external RADIUS server for EAP termination, see RADIUS.
- Multiple server configurations is supported.
- Click Network > RADIUS > Local Service
- Configure using the table below.
- Click OK to apply.
Displays the current server status.
|Toggle Service Status||Enable/Disable processing of local RADIUS requests|
|Details & Logs||
Displays the radius service log, the radius specific output of the FNAC server log, and the system journal. The view will tag important failure messages in red, and includes a filter control to both show only lines w/ the specified string (the 'Filter' button), or to color lines containing the specified string (the 'Mark' button), to keep context. For more information, see Service Status.
|Authentication Port||Configure the authentication port for the Local RADIUS Server.
Default: Disabled, 1645
Important: If external RADIUS servers are also defined, the authentication port must be set to a different value than the RADIUS proxy ports.
|Debug & Troubleshooting||
Show/hide controls for enabling RADIUS debug. Both RADIUS service and FNAC server debug can be enabled independently. The former is a good starting place for authentication and service startup failures. The latter is useful when authentication succeeds up to the post-auth phase where FNAC does post-auth processing and can diagnose why FNAC returns a deny, incorrect VLAN or filter ID, or wrong/missing response value data (for instance when a device does not have local RADIUS enabled, the port is not in the Role-Based Access port group, etc).
Both logs can be used to show both the request attributes and the response attributes for the request.
Both MAC filter fields allow the debug to be output only for the specified host MAC addresses. This can be helpful to filter out other requests if troubleshooting is occurring on a production system that is actively processing other requests.
Unique name used to identify the configuration
|TLS Service Configuration||
Select the TLS Service Configuration to use
|Supported EAP Types||
Allows configuration of which EAP types are enabled. The field displays the EAP Types currently enabled. Click the drill down menu to view the available types. Click on a specific type to either enable or disable:
|Winbind Domain(s)||For MSCHAPv2 authentication, specify the winbind instances for the allowed Active Directory server(s) or 'Allow Any' for authentication using any defined servers. Manage winbind instances in the Winbind tab. For more details on configuring winbinds see Local Winbind Configuration.|
If enabled, EAP-TLS client certificates will have OCSP verification performed, using the URL embedded in the client certificate.
Allows configuration of TLS Protocol versions and Ciphers for EAP in the Local RADIUS Server. Add or Modify by selecting a server and click TLS Details.
Name: Unique name used to identify the configuration.
Cerificate Alias: Select the Certificate to use when securing communication. Certificates may be uploaded using the Certificate management view.
Automatically Update Ciphers And Protocols on Upgrade: If true, the settings for both Ciphers and TLS Protocols will become managed by FortiNAC. Upon upgrade, the system will automatically configure the TLS Service Configuration to the latest recommended Ciphers and Protocols.
Ciphers: The Cipher Suite to use when encoding messages using TLS. At least one Cipher must be selected. Ciphers must be supported by both client and server, so disabling Ciphers may prevent some Persistent Agents from communicating.
TLS Protocols: The list of TLS Protocols to allow by the server. At least one TLS Protocol must be selected. TLS Protocols must be supported by both client and server, so disabling Protocols may prevent some Persistent Agents from communicating.
Selecting Service Status opens a panel that exposes the RADIUS service and FNAC server logs (the most recent 3000 lines), the latter scoped to only local RADIUS debug output. The logs display with special formatting to highlight important information and common failures which, in many cases, include a tooltip with additional information suggesting the likely cause of the problem.
- Service Status: Shows additional details of the state of the RADIUS service beyond the status field in the main view
Service Log: Shows the debug information for the RADIUS service. The place to start when authentication is not working as expected.
Note: In most cases, the ‘Service Log Level’ should be set to Normal for the best troubleshooting information.
- Server Log: FNAC server log (local RADIUS output only). Useful to debug post-auth related problems such as incorrect or missing response values, or a post-auth Deny being returned unexpectedly.
- Systemd Journal: OS journal output that shows helpful information when the service will not start for some reason (missing / corrupt configuration files, certificates, etc).
Logs can be filtered using the controls at the top of the view.
- Filter Button: Shows only lines containing the filter string
- Mark Button: Shows the full log output but highlights lines containing the filter string in blue for context. This can be used multiple times to highlight additional strings
- Clear Button: Resets the filter
- Previous/Next Buttons: Will auto scroll and select matches for the specified filter string
- Show Flagged Errors Only: Shows only lines that have been flagged in red as common problem.
Allows administrators to control the RADIUS attributes FortiNAC returns in an Access-Accept. Each of these can be optionally scoped so debug output is only generated for 1 or more specified MAC addresses (comma separated).
Important: Inbound RADIUS request must contain Calling-Station-Id. This attribute is required in order to properly process logical network information. RADIUS attributes will not be returned if Calling-Station-Id is not in the associated request.
Add RADIUS Attribute Group
- Click Add
- Use the filter to narrow down the list of attributes in the left pane, and select them by clicking the arrow icons to push them into the right pane.
- Set the value by clicking the value box on the right pane.
- Setting to %ACCESS_VALUE% will insert the Access Value into the attribute when returned.
If the attribute required does not exist in FortiNAC’s database, it can be added.
Add RADIUS Attribute
- Click Add
- Define the following:
Type: Select the appropriate option from the drill-down list.
Encryption method: Select the appropriate option from the drill-down list.
- Click OK to save.
- To modify an attribute added, click Modify.
Note: Pre-loaded attributes may not be edited.
- To delete an attribute, select Delete.
Once RADIUS Attribute Groups are defined, select the groups to be used for each device within its Model or Global Model Configuration view. See Model configuration for additional information.