Fortinet white logo
Fortinet white logo

Administration Guide

RADIUS

RADIUS

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service.

A RADIUS server enables external authentication for users connected to FortiNACmanaged network devices. This type of server is often used in a wireless environment, but also used in wired environments supporting 802.1x authentication.

FortiNAC uses RADIUS authentication for several purposes including:

  • Authenticating users attaching to managed network devices using 802.1x.
  • Authenticating VPN users.
  • Authenticating users accessing FortiNAC's own captive portal process.
  • Authenticating administrators logging onto the FortiNAC system.

As of version 8.8, FortiNAC can be configured to authenticate RADIUS using external RADIUS server(s), the built-in local RADIUS server or a combination of both. There are two RADIUS Authentication modes available for determining how RADIUS requests are processed. These can be configured in FortiNAC on a per-device basis.

Proxy RADIUS Authentication Mode

Enabled by default.

Authentication: FortiNAC processes RADIUS MAC but proxies 802.1x EAP authentication to a customer-owned (external) RADIUS server.

Caution

If configuring FortiNAC both Proxy and Local RADIUS authentication modes, ensure the Authentication port numbers are different between the services.

Accounting: FortiNAC proxies accounting traffic to a customer-owned (external) RADIUS server.

FortiNAC works with all the known RADIUS server products, including FreeRADIUS, Steel Belted RADIUS, Microsoft IAS, Cisco ACS, and RADIATOR. To support these uses, RADIUS server profiles must be created in FortiNAC, which can then be assigned as the authentication method for the FortiNAC system or a specific device.

You can create an unlimited number of RADIUS server profiles. Several configuration options are available:

  • System-wide: Default primary and secondary profiles assigned at the system level are used for both captive portal and administrator authentication.
  • In an 802.1x environment:
    • Profiles can be assigned for each individual device.
    • Profiles can be assigned for individual SSIDs.
    • Profiles can be mapped to domains. User names contain a domain name prefix of the user logging onto the network.
    • Profiles can be mapped to a blank domain which would encompass any authenticating user who does not have a domain name prefix as part of his user name.

Fortinet-Group-Name: If the return attributes contain "Fortinet-Group-Name," FortiNAC will create (as needed) a new FNAC group (type user) and add the authenticated user to the group, which can then be used as part of network access policy.

This also applies to cases where FortiNAC is the RADIUS client originating the portal authentication.

When the authentication request is proxied to a proxy RADIUS server and the response is received, the following will occur:

  1. Extract group names from attribute "Fortinet-Group-Name"
  2. Find the user group for each group name, using "RADIUS" and the proxy server profile name as a prefix. For instance for group "Employee" and proxy server profile "FAC1", consider group “RADIUS/FAC1/Employee”
  3. If the user group is not found, create it.Find the user record for the user.
  4. If the user record is not found, create it.
  5. If the user record is not a member of the user group, add it.
  6. Iterate all user groups that exist which start with the "RADIUS + proxy server profile name" prefix but were excluded from the returned Fortinet-Group-Name list and if the user record is found, remove it.

Local RADIUS Authentication Mode

Introduced in FortiNAC 8.8 and disabled by default.

Authentication: FortiNAC’s Local RADIUS Server processes RADIUS MAC and 802.1x EAP authentication without the need to proxy to an external RADIUS server.

Caution

If configuring FortiNAC both Proxy and Local RADIUS authentication modes, ensure the Authentication port numbers are different between the services.

Accounting: The Local RADIUS server does not provide accounting. If accounting is required, FortiNAC can be configured to proxy Accounting traffic to an external RADIUS server.

FortiNAC processes both RADIUS MAC and 802.1x EAP authentication locally and does not require an external RADIUS server.

Supported 802.1x EAP modes:

  • TTLS/PAP
  • TTLS/MSCHAPv2
  • PEAP/MSCHAPv2
  • TLS

For more information, see Local RADIUS Server.

RADIUS

RADIUS

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service.

A RADIUS server enables external authentication for users connected to FortiNACmanaged network devices. This type of server is often used in a wireless environment, but also used in wired environments supporting 802.1x authentication.

FortiNAC uses RADIUS authentication for several purposes including:

  • Authenticating users attaching to managed network devices using 802.1x.
  • Authenticating VPN users.
  • Authenticating users accessing FortiNAC's own captive portal process.
  • Authenticating administrators logging onto the FortiNAC system.

As of version 8.8, FortiNAC can be configured to authenticate RADIUS using external RADIUS server(s), the built-in local RADIUS server or a combination of both. There are two RADIUS Authentication modes available for determining how RADIUS requests are processed. These can be configured in FortiNAC on a per-device basis.

Proxy RADIUS Authentication Mode

Enabled by default.

Authentication: FortiNAC processes RADIUS MAC but proxies 802.1x EAP authentication to a customer-owned (external) RADIUS server.

Caution

If configuring FortiNAC both Proxy and Local RADIUS authentication modes, ensure the Authentication port numbers are different between the services.

Accounting: FortiNAC proxies accounting traffic to a customer-owned (external) RADIUS server.

FortiNAC works with all the known RADIUS server products, including FreeRADIUS, Steel Belted RADIUS, Microsoft IAS, Cisco ACS, and RADIATOR. To support these uses, RADIUS server profiles must be created in FortiNAC, which can then be assigned as the authentication method for the FortiNAC system or a specific device.

You can create an unlimited number of RADIUS server profiles. Several configuration options are available:

  • System-wide: Default primary and secondary profiles assigned at the system level are used for both captive portal and administrator authentication.
  • In an 802.1x environment:
    • Profiles can be assigned for each individual device.
    • Profiles can be assigned for individual SSIDs.
    • Profiles can be mapped to domains. User names contain a domain name prefix of the user logging onto the network.
    • Profiles can be mapped to a blank domain which would encompass any authenticating user who does not have a domain name prefix as part of his user name.

Fortinet-Group-Name: If the return attributes contain "Fortinet-Group-Name," FortiNAC will create (as needed) a new FNAC group (type user) and add the authenticated user to the group, which can then be used as part of network access policy.

This also applies to cases where FortiNAC is the RADIUS client originating the portal authentication.

When the authentication request is proxied to a proxy RADIUS server and the response is received, the following will occur:

  1. Extract group names from attribute "Fortinet-Group-Name"
  2. Find the user group for each group name, using "RADIUS" and the proxy server profile name as a prefix. For instance for group "Employee" and proxy server profile "FAC1", consider group “RADIUS/FAC1/Employee”
  3. If the user group is not found, create it.Find the user record for the user.
  4. If the user record is not found, create it.
  5. If the user record is not a member of the user group, add it.
  6. Iterate all user groups that exist which start with the "RADIUS + proxy server profile name" prefix but were excluded from the returned Fortinet-Group-Name list and if the user record is found, remove it.

Local RADIUS Authentication Mode

Introduced in FortiNAC 8.8 and disabled by default.

Authentication: FortiNAC’s Local RADIUS Server processes RADIUS MAC and 802.1x EAP authentication without the need to proxy to an external RADIUS server.

Caution

If configuring FortiNAC both Proxy and Local RADIUS authentication modes, ensure the Authentication port numbers are different between the services.

Accounting: The Local RADIUS server does not provide accounting. If accounting is required, FortiNAC can be configured to proxy Accounting traffic to an external RADIUS server.

FortiNAC processes both RADIUS MAC and 802.1x EAP authentication locally and does not require an external RADIUS server.

Supported 802.1x EAP modes:

  • TTLS/PAP
  • TTLS/MSCHAPv2
  • PEAP/MSCHAPv2
  • TLS

For more information, see Local RADIUS Server.