Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Configure Local RADIUS Server Settings

This view is used to configure FortiNAC as the 802.1x EAP termination point. The following functions can be modified:

  • RADIUS Server Service (disabled by default)
  • Authentication ports
  • TLS Protocol versions and Ciphers for EAP
  • EAP types
  • OCSP verification
  • RADIUS Attribute Groups
  • Winbind for MSCHAPv2 authentication
  • RADIUS Service Status
  • RADIUS Debug and Troubleshooting

Note:

  • Requires Server Certificate to be installed for EAP authentication. For installation instructions see Certificate management.
  • FortiNAC can be configured to authenticate RADIUS using either the built-in local RADIUS server, external server(s) or a combination of both. To configure FortiNAC to use an external RADIUS server, see RADIUS. To configure FortiNAC to proxy 802.1x packets to an external RADIUS server for EAP termination, see RADIUS.
  • Multiple server configurations is supported.

Configure Local RADIUS Server

  1. Click Network > RADIUS > Local Service
  2. Configure using the table below.
  3. Click OK to apply.
Local RADIUS Server
Main Local Service View

Field

Description

Service Info

Status

Displays the current server status.

  • Enabled Status: Displays
    • Enabled if the service is configured to run on boot.
    • Disabled if the service is not configured to run on boot
  • Running Status: Displays
    • Running if the service is running
    • Stopped if the service is not running
Toggle Service Status Enable/Disable processing of local RADIUS requests
Details & Logs

Displays the radius service log, the radius specific output of the FNAC server log, and the system journal. The view will tag important failure messages in red, and includes a filter control to both show only lines w/ the specified string (the 'Filter' button), or to color lines containing the specified string (the 'Mark' button), to keep context. For more information, see Service Status.

General Settings
Authentication Port Configure the authentication port for the Local RADIUS Server.

Default: Disabled, 1645

Important: If external RADIUS servers are also defined, the authentication port must be set to a different value than the RADIUS proxy ports.

Debug & Troubleshooting

Show/hide controls for enabling RADIUS debug. Both RADIUS service and FNAC server debug can be enabled independently. The former is a good starting place for authentication and service startup failures. The latter is useful when authentication succeeds up to the post-auth phase where FNAC does post-auth processing and can diagnose why FNAC returns a deny, incorrect VLAN or filter ID, or wrong/missing response value data (for instance when a device does not have local RADIUS enabled, the port is not in the Role-Based Access port group, etc).

  • Service Log Level: Enables radius service debug. Debug outputs will be displayed in Service Status > Server Log.

    • Service Debug Host MAC Filter (Optional): Scope service debug information to one or more (comma separated) host MAC addresses.

  • FortiNAC Server Log Debug: Enable FortiNAC sercer debug related to local RADIUS access processing. Debug outputs will be displayed in Service Status > Server Log.

    • Include Network Access Policy Debug: Include policy lookup debug to troubleshoot problems matching the proper network access policy. For other post-auth issues, leaving this disabled is recommended for better readability.

    • Service Debug Host MAC Filter (Optional): Scope service debug information to one or more (comma separated) host MAC addresses.

Both logs can be used to show both the request attributes and the response attributes for the request.

Both MAC filter fields allow the debug to be output only for the specified host MAC addresses. This can be helpful to filter out other requests if troubleshooting is occurring on a production system that is actively processing other requests.

Individual Server Settings

 

Field

Description

Name

Unique name used to identify the configuration

TLS Service Configuration

Select the TLS Service Configuration to use

Supported EAP Types

Allows configuration of which EAP types are enabled. The field displays the EAP Types currently enabled. Click the drill down menu to view the available types. Click on a specific type to either enable or disable:

  • TLS - Requires the Endpoint Trust Certificate to be installed. For installation instructions see Certificate management

  • TTLS

  • PEAP

  • LEAP

  • MD5

  • GTC

  • MSCHAPV2

Winbind Domain(s) For MSCHAPv2 authentication, specify the winbind instances for the allowed Active Directory server(s) or 'Allow Any' for authentication using any defined servers. Manage winbind instances in the Winbind tab. For more details on configuring winbinds see Local Winbind Configuration.
Enable OCSP

If enabled, EAP-TLS client certificates will have OCSP verification performed, using the URL embedded in the client certificate.

TLS Service Configuration Settings

Allows configuration of TLS Protocol versions and Ciphers for EAP in the Local RADIUS Server. Add or Modify by selecting a server and click TLS Details.

  • Name: Unique name used to identify the configuration.

  • Cerificate Alias: Select the Certificate to use when securing communication. Certificates may be uploaded using the Certificate management view.

  • Automatically Update Ciphers And Protocols on Upgrade: If true, the settings for both Ciphers and TLS Protocols will become managed by FortiNAC. Upon upgrade, the system will automatically configure the TLS Service Configuration to the latest recommended Ciphers and Protocols.

  • Ciphers: The Cipher Suite to use when encoding messages using TLS. At least one Cipher must be selected. Ciphers must be supported by both client and server, so disabling Ciphers may prevent some Persistent Agents from communicating.

  • TLS Protocols: The list of TLS Protocols to allow by the server. At least one TLS Protocol must be selected. TLS Protocols must be supported by both client and server, so disabling Protocols may prevent some Persistent Agents from communicating.

Service Status

Selecting Service Status opens a panel that exposes the RADIUS service and FNAC server logs (the most recent 3000 lines), the latter scoped to only local RADIUS debug output. The logs display with special formatting to highlight important information and common failures which, in many cases, include a tooltip with additional information suggesting the likely cause of the problem.

  • Service Status: Shows additional details of the state of the RADIUS service beyond the status field in the main view
  • Service Log: Shows the debug information for the RADIUS service. The place to start when authentication is not working as expected.

    Note: In most cases, the ‘Service Log Level’ should be set to Normal for the best troubleshooting information.

  • Server Log: FNAC server log (local RADIUS output only). Useful to debug post-auth related problems such as incorrect or missing response values, or a post-auth Deny being returned unexpectedly.
  • Systemd Journal: OS journal output that shows helpful information when the service will not start for some reason (missing / corrupt configuration files, certificates, etc).

Logs can be filtered using the controls at the top of the view.

  • Filter Button: Shows only lines containing the filter string
  • Mark Button: Shows the full log output but highlights lines containing the filter string in blue for context. This can be used multiple times to highlight additional strings
  • Clear Button: Resets the filter
  • Previous/Next Buttons: Will auto scroll and select matches for the specified filter string
  • Show Flagged Errors Only: Shows only lines that have been flagged in red as common problem.

RADIUS Attribute Groups

Allows administrators to control the RADIUS attributes FortiNAC returns in an Access-Accept. Each of these can be optionally scoped so debug output is only generated for 1 or more specified MAC addresses (comma separated).

 

Important: Inbound RADIUS request must contain Calling-Station-Id. This attribute is required in order to properly process logical network information. RADIUS attributes will not be returned if Calling-Station-Id is not in the associated request.

Add RADIUS Attribute Group

  1. Click Add
  2. Use the filter to narrow down the list of attributes in the left pane, and select them by clicking the arrow icons to push them into the right pane.
  3. Set the value by clicking the value box on the right pane.
  4. Setting to %ACCESS_VALUE% will insert the Access Value into the attribute when returned.

If the attribute required does not exist in FortiNAC’s database, it can be added.

Add RADIUS Attribute

  1. Click Add
  2. Define the following:
    Name
    Type: Select the appropriate option from the drill-down list.
    Value
    Vendor
    Vendor ID
    Format
    Has Tag:
    Encryption method: Select the appropriate option from the drill-down list.
  3. Click OK to save.
  4. To modify an attribute added, click Modify.
    Note: Pre-loaded attributes may not be edited.
  5. To delete an attribute, select Delete.

Once RADIUS Attribute Groups are defined, select the groups to be used for each device within its Model or Global Model Configuration view. See Model configuration for additional information.

Configure Local RADIUS Server Settings

This view is used to configure FortiNAC as the 802.1x EAP termination point. The following functions can be modified:

  • RADIUS Server Service (disabled by default)
  • Authentication ports
  • TLS Protocol versions and Ciphers for EAP
  • EAP types
  • OCSP verification
  • RADIUS Attribute Groups
  • Winbind for MSCHAPv2 authentication
  • RADIUS Service Status
  • RADIUS Debug and Troubleshooting

Note:

  • Requires Server Certificate to be installed for EAP authentication. For installation instructions see Certificate management.
  • FortiNAC can be configured to authenticate RADIUS using either the built-in local RADIUS server, external server(s) or a combination of both. To configure FortiNAC to use an external RADIUS server, see RADIUS. To configure FortiNAC to proxy 802.1x packets to an external RADIUS server for EAP termination, see RADIUS.
  • Multiple server configurations is supported.

Configure Local RADIUS Server

  1. Click Network > RADIUS > Local Service
  2. Configure using the table below.
  3. Click OK to apply.
Local RADIUS Server
Main Local Service View

Field

Description

Service Info

Status

Displays the current server status.

  • Enabled Status: Displays
    • Enabled if the service is configured to run on boot.
    • Disabled if the service is not configured to run on boot
  • Running Status: Displays
    • Running if the service is running
    • Stopped if the service is not running
Toggle Service Status Enable/Disable processing of local RADIUS requests
Details & Logs

Displays the radius service log, the radius specific output of the FNAC server log, and the system journal. The view will tag important failure messages in red, and includes a filter control to both show only lines w/ the specified string (the 'Filter' button), or to color lines containing the specified string (the 'Mark' button), to keep context. For more information, see Service Status.

General Settings
Authentication Port Configure the authentication port for the Local RADIUS Server.

Default: Disabled, 1645

Important: If external RADIUS servers are also defined, the authentication port must be set to a different value than the RADIUS proxy ports.

Debug & Troubleshooting

Show/hide controls for enabling RADIUS debug. Both RADIUS service and FNAC server debug can be enabled independently. The former is a good starting place for authentication and service startup failures. The latter is useful when authentication succeeds up to the post-auth phase where FNAC does post-auth processing and can diagnose why FNAC returns a deny, incorrect VLAN or filter ID, or wrong/missing response value data (for instance when a device does not have local RADIUS enabled, the port is not in the Role-Based Access port group, etc).

  • Service Log Level: Enables radius service debug. Debug outputs will be displayed in Service Status > Server Log.

    • Service Debug Host MAC Filter (Optional): Scope service debug information to one or more (comma separated) host MAC addresses.

  • FortiNAC Server Log Debug: Enable FortiNAC sercer debug related to local RADIUS access processing. Debug outputs will be displayed in Service Status > Server Log.

    • Include Network Access Policy Debug: Include policy lookup debug to troubleshoot problems matching the proper network access policy. For other post-auth issues, leaving this disabled is recommended for better readability.

    • Service Debug Host MAC Filter (Optional): Scope service debug information to one or more (comma separated) host MAC addresses.

Both logs can be used to show both the request attributes and the response attributes for the request.

Both MAC filter fields allow the debug to be output only for the specified host MAC addresses. This can be helpful to filter out other requests if troubleshooting is occurring on a production system that is actively processing other requests.

Individual Server Settings

 

Field

Description

Name

Unique name used to identify the configuration

TLS Service Configuration

Select the TLS Service Configuration to use

Supported EAP Types

Allows configuration of which EAP types are enabled. The field displays the EAP Types currently enabled. Click the drill down menu to view the available types. Click on a specific type to either enable or disable:

  • TLS - Requires the Endpoint Trust Certificate to be installed. For installation instructions see Certificate management

  • TTLS

  • PEAP

  • LEAP

  • MD5

  • GTC

  • MSCHAPV2

Winbind Domain(s) For MSCHAPv2 authentication, specify the winbind instances for the allowed Active Directory server(s) or 'Allow Any' for authentication using any defined servers. Manage winbind instances in the Winbind tab. For more details on configuring winbinds see Local Winbind Configuration.
Enable OCSP

If enabled, EAP-TLS client certificates will have OCSP verification performed, using the URL embedded in the client certificate.

TLS Service Configuration Settings

Allows configuration of TLS Protocol versions and Ciphers for EAP in the Local RADIUS Server. Add or Modify by selecting a server and click TLS Details.

  • Name: Unique name used to identify the configuration.

  • Cerificate Alias: Select the Certificate to use when securing communication. Certificates may be uploaded using the Certificate management view.

  • Automatically Update Ciphers And Protocols on Upgrade: If true, the settings for both Ciphers and TLS Protocols will become managed by FortiNAC. Upon upgrade, the system will automatically configure the TLS Service Configuration to the latest recommended Ciphers and Protocols.

  • Ciphers: The Cipher Suite to use when encoding messages using TLS. At least one Cipher must be selected. Ciphers must be supported by both client and server, so disabling Ciphers may prevent some Persistent Agents from communicating.

  • TLS Protocols: The list of TLS Protocols to allow by the server. At least one TLS Protocol must be selected. TLS Protocols must be supported by both client and server, so disabling Protocols may prevent some Persistent Agents from communicating.

Service Status

Selecting Service Status opens a panel that exposes the RADIUS service and FNAC server logs (the most recent 3000 lines), the latter scoped to only local RADIUS debug output. The logs display with special formatting to highlight important information and common failures which, in many cases, include a tooltip with additional information suggesting the likely cause of the problem.

  • Service Status: Shows additional details of the state of the RADIUS service beyond the status field in the main view
  • Service Log: Shows the debug information for the RADIUS service. The place to start when authentication is not working as expected.

    Note: In most cases, the ‘Service Log Level’ should be set to Normal for the best troubleshooting information.

  • Server Log: FNAC server log (local RADIUS output only). Useful to debug post-auth related problems such as incorrect or missing response values, or a post-auth Deny being returned unexpectedly.
  • Systemd Journal: OS journal output that shows helpful information when the service will not start for some reason (missing / corrupt configuration files, certificates, etc).

Logs can be filtered using the controls at the top of the view.

  • Filter Button: Shows only lines containing the filter string
  • Mark Button: Shows the full log output but highlights lines containing the filter string in blue for context. This can be used multiple times to highlight additional strings
  • Clear Button: Resets the filter
  • Previous/Next Buttons: Will auto scroll and select matches for the specified filter string
  • Show Flagged Errors Only: Shows only lines that have been flagged in red as common problem.

RADIUS Attribute Groups

Allows administrators to control the RADIUS attributes FortiNAC returns in an Access-Accept. Each of these can be optionally scoped so debug output is only generated for 1 or more specified MAC addresses (comma separated).

 

Important: Inbound RADIUS request must contain Calling-Station-Id. This attribute is required in order to properly process logical network information. RADIUS attributes will not be returned if Calling-Station-Id is not in the associated request.

Add RADIUS Attribute Group

  1. Click Add
  2. Use the filter to narrow down the list of attributes in the left pane, and select them by clicking the arrow icons to push them into the right pane.
  3. Set the value by clicking the value box on the right pane.
  4. Setting to %ACCESS_VALUE% will insert the Access Value into the attribute when returned.

If the attribute required does not exist in FortiNAC’s database, it can be added.

Add RADIUS Attribute

  1. Click Add
  2. Define the following:
    Name
    Type: Select the appropriate option from the drill-down list.
    Value
    Vendor
    Vendor ID
    Format
    Has Tag:
    Encryption method: Select the appropriate option from the drill-down list.
  3. Click OK to save.
  4. To modify an attribute added, click Modify.
    Note: Pre-loaded attributes may not be edited.
  5. To delete an attribute, select Delete.

Once RADIUS Attribute Groups are defined, select the groups to be used for each device within its Model or Global Model Configuration view. See Model configuration for additional information.