Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiPortal 5.3.4 User Guide
    5.3.4
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.0.15
    6.0.14
    6.0.13
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.3.8
    5.3.7
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.0
    5.2.0
    4.1.0

    RADIUS authentication

    RADIUS authentication

    You can add, update, and delete RADIUS authentication settings.

    Add RADIUS authentication settings

    1. Select radius from the Auth Server Settings tree.
    2. Right-click in the RADIUS authentication table and select Create New.
    3. Enter values in the relevant fields. See RADIUS authentication fields.
    4. Select Save.

    Update RADIUS authentication settings

    1. Select radius from the Auth Server Settings tree.
    2. Right-click a RADIUS server and select Edit.
    3. Update the values that you want to change.
    4. Select Save.

    Delete RADIUS authentication settings

    1. Select radius from the Auth Server Settings tree.
    2. Right-click a RADIUS server and select Delete.
    3. Select Yes in the confirmation dialog box to delete the selected server.

    RADIUS authentication fields

    The Create New user-radius and Edit user-radius forms contain the following fields:

    Settings

    Guidelines

    Name

    Required. The RADIUS server name.

    Account All Servers

    Enable or disable the sending of accounting messages to all configured servers. The default is disable.

    Account Interim Update Interval

    The number of seconds between each accounting interim update message.

    all User-group

    Enable or disable whether this RADIUS server is automatically included in all user groups.

    Authentication Type

    Authentication methods/protocols permitted for this RADIUS server:

    ms_chap—Microsoft Challenge Handshake Authentication Protocol.

    ms_chap_v2—Microsoft Challenge Handshake Authentication Protocol version 2.

    auto—Use PAP, MSCHAP_v2, and CHAP (in that order).

    chap—Challenge Handshake Authentication Protocol.

    pap— Password Authentication Protocol.

    Class

    Class attribute name(s).

    H3C Compatibility

    Enable or disable compatibility with the H3C, a mechanism that performs security checking for authentication.

    NAS-IP

    IPv4 address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.

    Password Encoding

    Password encoding:

    auto—Use original password encoding.

    ISO-8859-1—Use ISO-8859-1 password encoding.

    Password Renewal

    Enable or disable password renewal.

    Allow Change of Attributes

    Enable or disable the overriding of an old attribute value with a new value for the same endpoint.

    Radius Port

    RADIUS service port number.

    Radius based SSO

    Enable or disable the RADIUS-based single sign-on feature.

    RSSO Context Timeout

    Time in seconds before the logged-out user is removed from the “user context list” of logged-on users.

    RSSO Endpoint Block Attribute

    RADIUS attributes used to block a user:

    Login-LAT-Service—Use this attribute.

    NAS-IP-Address—Use this attribute.

    Callback-Number—Use this attribute.

    NAS-Identifier—Use this attribute.

    Acct-Multi-Session-Id—Use this attribute.

    Login-LAT-Group—Use this attribute.

    Reply-Message—Use this attribute.

    User-Name—Use this attribute.

    Calling-Station-Id—Use this attribute.

    Filter-Id—Use this attribute.

    Framed-IP-Address—Use this attribute.

    Framed-IP-Netmask—Use this attribute.

    Login-IP-Host—Use this attribute.

    Callback-Id—Use this attribute.

    Class—Use this attribute.

    Framed-Route—Use this attribute.

    Acct-Session-Id—Use this attribute.

    Proxy-State—Use this attribute.

    Called-Station-Id—Use this attribute.

    Framed-AppleTalk-Zone—Use this attribute.

    Login-LAT-Node—Use this attribute

    Framed-IPX-Network—Use this attribute.

    RSSO One IP Address By Endpoint

    Enable or disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.

    RSSO Flush IP Session

    Enable or disable the flushing of user IP sessions on RADIUS accounting Stop messages.

    RSSO Log Flags

    Events to log:

    radiusd-other—Enable this log type.

    profile-missing—Enable this log type.

    accounting-event—Enable this log type.

    protocol-error—Enable this log type.

    endpoint-block—Enable this log type.

    none—Disable all logging.

    accounting-stop-missed—Enable this log type.

    RSSO Log Period

    How often (in seconds) that group event log messages are generated for dynamic profile events.

    RSSO Radius Response

    Enable or disable the sending of RADIUS response packets after receiving Start and Stop records.

    RSSO Radius Server Port

    The UDP port to listen on for RADIUS Start and Stop records.

    RSSO Password

    The RADIUS secret used by the RADIUS accounting server.

    RSSO Validation Request Secret

    Enable or disable the validation of the RADIUS request shared secret in the Start or End record.

    Secondary Password

    The secret key to access the secondary server.

    Secondary Server

    The CN domain name or IP address for the secondary RADIUS server.

    Password

    The pre-shared secret key used to access the primary RADIUS server.

    Server

    The primary RADIUS server CN domain name or IP address.

    Source IP

    The source IP address for communications to the RADIUS server.

    SSO Attribute

    RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record:

    Login-LAT-Service—Use this attribute.

    NAS-IP-Address—Use this attribute.

    Callback-Number—Use this attribute.

    NAS-Identifier—Use this attribute.

    Acct-Multi-Session-Id—Use this attribute.

    Login-LAT-Group—Use this attribute.

    Reply-Message—Use this attribute.

    User-Name—Use this attribute.

    Calling-Station-Id—Use this attribute.

    Filter-Id—Use this attribute.

    Framed-IP-Address—Use this attribute.

    Framed-IP-Netmask—Use this attribute.

    Login-IP-Host—Use this attribute.

    Callback-Id—Use this attribute.

    Class—Use this attribute.

    Framed-Route—Use this attribute.

    Acct-Session-Id—Use this attribute.

    Proxy-State—Use this attribute.

    Called-Station-Id—Use this attribute.

    Framed-AppleTalk-Zone—Use this attribute.

    Login-LAT-Node—Use this attribute.

    Framed-IPX-Network—Use this attribute.

    SSO Attribute Key

    The key prefix for SSO group value in the SSO attribute.

    SSO Attribute Value Override

    Enable or disable whether to override the old attribute value with a new value for the same endpoint.

    Tertiary Password

    The secret key to access the tertiary server.

    Tertiary Server

    The CN domain name or IP address for the tertiary RADIUS server.

    Timeout

    How often (in seconds) authentication requests are re-sent .

    Use Management Vdom

    Enable or disable whether to use the management VDOM to send requests.

    Username Case Sensitive

    Enable or disable whether user names are case sensitive.

    Accounting Server

    Additional accounting servers. See Add an accounting server.

    Add an accounting server

    1. Right-click in the Accounting Server table and select Create New.
    2. In the Id field, enter an identifier for the accounting server.
    3. In the Port field, enter the RADIUS accounting port number.
    4. In the Password field, enter the secret key for the accounting server
    5. In the Server field, enter the server CN domain name or IP address.
    6. In the Source IP field, enter the source IP address for communications to the RADIUS server.
    7. In the Status field, select enable to make the accounting server active.
    8. Select Save to save the settings.
    Previous
    Next

    RADIUS authentication

    RADIUS authentication

    You can add, update, and delete RADIUS authentication settings.

    Add RADIUS authentication settings

    1. Select radius from the Auth Server Settings tree.
    2. Right-click in the RADIUS authentication table and select Create New.
    3. Enter values in the relevant fields. See RADIUS authentication fields.
    4. Select Save.

    Update RADIUS authentication settings

    1. Select radius from the Auth Server Settings tree.
    2. Right-click a RADIUS server and select Edit.
    3. Update the values that you want to change.
    4. Select Save.

    Delete RADIUS authentication settings

    1. Select radius from the Auth Server Settings tree.
    2. Right-click a RADIUS server and select Delete.
    3. Select Yes in the confirmation dialog box to delete the selected server.

    RADIUS authentication fields

    The Create New user-radius and Edit user-radius forms contain the following fields:

    Settings

    Guidelines

    Name

    Required. The RADIUS server name.

    Account All Servers

    Enable or disable the sending of accounting messages to all configured servers. The default is disable.

    Account Interim Update Interval

    The number of seconds between each accounting interim update message.

    all User-group

    Enable or disable whether this RADIUS server is automatically included in all user groups.

    Authentication Type

    Authentication methods/protocols permitted for this RADIUS server:

    ms_chap—Microsoft Challenge Handshake Authentication Protocol.

    ms_chap_v2—Microsoft Challenge Handshake Authentication Protocol version 2.

    auto—Use PAP, MSCHAP_v2, and CHAP (in that order).

    chap—Challenge Handshake Authentication Protocol.

    pap— Password Authentication Protocol.

    Class

    Class attribute name(s).

    H3C Compatibility

    Enable or disable compatibility with the H3C, a mechanism that performs security checking for authentication.

    NAS-IP

    IPv4 address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.

    Password Encoding

    Password encoding:

    auto—Use original password encoding.

    ISO-8859-1—Use ISO-8859-1 password encoding.

    Password Renewal

    Enable or disable password renewal.

    Allow Change of Attributes

    Enable or disable the overriding of an old attribute value with a new value for the same endpoint.

    Radius Port

    RADIUS service port number.

    Radius based SSO

    Enable or disable the RADIUS-based single sign-on feature.

    RSSO Context Timeout

    Time in seconds before the logged-out user is removed from the “user context list” of logged-on users.

    RSSO Endpoint Block Attribute

    RADIUS attributes used to block a user:

    Login-LAT-Service—Use this attribute.

    NAS-IP-Address—Use this attribute.

    Callback-Number—Use this attribute.

    NAS-Identifier—Use this attribute.

    Acct-Multi-Session-Id—Use this attribute.

    Login-LAT-Group—Use this attribute.

    Reply-Message—Use this attribute.

    User-Name—Use this attribute.

    Calling-Station-Id—Use this attribute.

    Filter-Id—Use this attribute.

    Framed-IP-Address—Use this attribute.

    Framed-IP-Netmask—Use this attribute.

    Login-IP-Host—Use this attribute.

    Callback-Id—Use this attribute.

    Class—Use this attribute.

    Framed-Route—Use this attribute.

    Acct-Session-Id—Use this attribute.

    Proxy-State—Use this attribute.

    Called-Station-Id—Use this attribute.

    Framed-AppleTalk-Zone—Use this attribute.

    Login-LAT-Node—Use this attribute

    Framed-IPX-Network—Use this attribute.

    RSSO One IP Address By Endpoint

    Enable or disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.

    RSSO Flush IP Session

    Enable or disable the flushing of user IP sessions on RADIUS accounting Stop messages.

    RSSO Log Flags

    Events to log:

    radiusd-other—Enable this log type.

    profile-missing—Enable this log type.

    accounting-event—Enable this log type.

    protocol-error—Enable this log type.

    endpoint-block—Enable this log type.

    none—Disable all logging.

    accounting-stop-missed—Enable this log type.

    RSSO Log Period

    How often (in seconds) that group event log messages are generated for dynamic profile events.

    RSSO Radius Response

    Enable or disable the sending of RADIUS response packets after receiving Start and Stop records.

    RSSO Radius Server Port

    The UDP port to listen on for RADIUS Start and Stop records.

    RSSO Password

    The RADIUS secret used by the RADIUS accounting server.

    RSSO Validation Request Secret

    Enable or disable the validation of the RADIUS request shared secret in the Start or End record.

    Secondary Password

    The secret key to access the secondary server.

    Secondary Server

    The CN domain name or IP address for the secondary RADIUS server.

    Password

    The pre-shared secret key used to access the primary RADIUS server.

    Server

    The primary RADIUS server CN domain name or IP address.

    Source IP

    The source IP address for communications to the RADIUS server.

    SSO Attribute

    RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record:

    Login-LAT-Service—Use this attribute.

    NAS-IP-Address—Use this attribute.

    Callback-Number—Use this attribute.

    NAS-Identifier—Use this attribute.

    Acct-Multi-Session-Id—Use this attribute.

    Login-LAT-Group—Use this attribute.

    Reply-Message—Use this attribute.

    User-Name—Use this attribute.

    Calling-Station-Id—Use this attribute.

    Filter-Id—Use this attribute.

    Framed-IP-Address—Use this attribute.

    Framed-IP-Netmask—Use this attribute.

    Login-IP-Host—Use this attribute.

    Callback-Id—Use this attribute.

    Class—Use this attribute.

    Framed-Route—Use this attribute.

    Acct-Session-Id—Use this attribute.

    Proxy-State—Use this attribute.

    Called-Station-Id—Use this attribute.

    Framed-AppleTalk-Zone—Use this attribute.

    Login-LAT-Node—Use this attribute.

    Framed-IPX-Network—Use this attribute.

    SSO Attribute Key

    The key prefix for SSO group value in the SSO attribute.

    SSO Attribute Value Override

    Enable or disable whether to override the old attribute value with a new value for the same endpoint.

    Tertiary Password

    The secret key to access the tertiary server.

    Tertiary Server

    The CN domain name or IP address for the tertiary RADIUS server.

    Timeout

    How often (in seconds) authentication requests are re-sent .

    Use Management Vdom

    Enable or disable whether to use the management VDOM to send requests.

    Username Case Sensitive

    Enable or disable whether user names are case sensitive.

    Accounting Server

    Additional accounting servers. See Add an accounting server.

    Add an accounting server

    1. Right-click in the Accounting Server table and select Create New.
    2. In the Id field, enter an identifier for the accounting server.
    3. In the Port field, enter the RADIUS accounting port number.
    4. In the Password field, enter the secret key for the accounting server
    5. In the Server field, enter the server CN domain name or IP address.
    6. In the Source IP field, enter the source IP address for communications to the RADIUS server.
    7. In the Status field, select enable to make the accounting server active.
    8. Select Save to save the settings.
    Previous
    Next