Fortinet white logo
Fortinet white logo

RADIUS authentication

RADIUS authentication

You can add, update, and delete RADIUS authentication settings.

Add RADIUS authentication settings

  1. Select radius from the Auth Server Settings dropdown menu.
  2. Right-click in the RADIUS authentication table and select Create New.
  3. Enter values in the relevant fields. See RADIUS authentication fields.
  4. Select Save.

Update RADIUS authentication settings

  1. Select radius from the Auth Server Settings dropdown menu.
  2. Right-click a RADIUS server and select Edit.
  3. Update the values that you want to change.
  4. Select Save.

Delete RADIUS authentication settings

  1. Select radius from the Auth Server Settings dropdown menu.
  2. Right-click a RADIUS server and select Delete.
  3. Select Yes in the confirmation dialog box to delete the selected server.

RADIUS authentication fields

The Create New Radius Server and Edit Radius Server dialogs contain the following fields:

Settings

Guidelines

Name

Required. The RADIUS server name.

Account All Servers

Enable or disable the sending of accounting messages to all configured servers. The default is disable.

Account Interim Update Interval

The number of seconds between each accounting interim update message.

all User-group

Enable or disable whether this RADIUS server is automatically included in all user groups.

Authentication Type

Authentication methods/protocols permitted for this RADIUS server:

ms_chap—Microsoft Challenge Handshake Authentication Protocol.

ms_chap_v2—Microsoft Challenge Handshake Authentication Protocol version 2.

auto—Use PAP, MSCHAP_v2, and CHAP (in that order).

chap—Challenge Handshake Authentication Protocol.

pap— Password Authentication Protocol.

Class

Class attribute name(s).

H3C Compatibility

Enable or disable compatibility with the H3C, a mechanism that performs security checking for authentication.

NAS-IP

IPv4 address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.

Password Encoding

Password encoding:

auto—Use original password encoding.

ISO-8859-1—Use ISO-8859-1 password encoding.

Password Renewal

Enable or disable password renewal.

Allow Change of Attributes

Enable or disable the overriding of an old attribute value with a new value for the same endpoint.

Radius Port

RADIUS service port number.

Radius based SSO

Enable or disable the RADIUS-based single sign-on feature.

RSSO Context Timeout

Time in seconds before the logged-out user is removed from the “user context list” of logged-on users.

RSSO Endpoint Block Attribute

RADIUS attributes used to block a user:

Login-LAT-Service—Use this attribute.

NAS-IP-Address—Use this attribute.

Callback-Number—Use this attribute.

NAS-Identifier—Use this attribute.

Acct-Multi-Session-Id—Use this attribute.

Login-LAT-Group—Use this attribute.

Reply-Message—Use this attribute.

User-Name—Use this attribute.

Calling-Station-Id—Use this attribute.

Filter-Id—Use this attribute.

Framed-IP-Address—Use this attribute.

Framed-IP-Netmask—Use this attribute.

Login-IP-Host—Use this attribute.

Callback-Id—Use this attribute.

Class—Use this attribute.

Framed-Route—Use this attribute.

Acct-Session-Id—Use this attribute.

Proxy-State—Use this attribute.

Called-Station-Id—Use this attribute.

Framed-AppleTalk-Zone—Use this attribute.

Login-LAT-Node—Use this attribute

Framed-IPX-Network—Use this attribute.

RSSO One IP Address By Endpoint

Enable or disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.

RSSO Flush IP Session

Enable or disable the flushing of user IP sessions on RADIUS accounting Stop messages.

RSSO Log Flags

Events to log:

radiusd-other—Enable this log type.

profile-missing—Enable this log type.

accounting-event—Enable this log type.

protocol-error—Enable this log type.

endpoint-block—Enable this log type.

none—Disable all logging.

accounting-stop-missed—Enable this log type.

RSSO Log Period

How often (in seconds) that group event log messages are generated for dynamic profile events.

RSSO Radius Response

Enable or disable the sending of RADIUS response packets after receiving Start and Stop records.

RSSO Radius Server Port

The UDP port to listen on for RADIUS Start and Stop records.

RSSO Password

The RADIUS secret used by the RADIUS accounting server.

RSSO Validation Request Secret

Enable or disable the validation of the RADIUS request shared secret in the Start or End record.

Secondary Password

The secret key to access the secondary server.

Secondary Server

The CN domain name or IP address for the secondary RADIUS server.

Password

The pre-shared secret key used to access the primary RADIUS server.

Server

The primary RADIUS server CN domain name or IP address.

Source IP

The source IP address for communications to the RADIUS server.

SSO Attribute

RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record:

Login-LAT-Service—Use this attribute.

NAS-IP-Address—Use this attribute.

Callback-Number—Use this attribute.

NAS-Identifier—Use this attribute.

Acct-Multi-Session-Id—Use this attribute.

Login-LAT-Group—Use this attribute.

Reply-Message—Use this attribute.

User-Name—Use this attribute.

Calling-Station-Id—Use this attribute.

Filter-Id—Use this attribute.

Framed-IP-Address—Use this attribute.

Framed-IP-Netmask—Use this attribute.

Login-IP-Host—Use this attribute.

Callback-Id—Use this attribute.

Class—Use this attribute.

Framed-Route—Use this attribute.

Acct-Session-Id—Use this attribute.

Proxy-State—Use this attribute.

Called-Station-Id—Use this attribute.

Framed-AppleTalk-Zone—Use this attribute.

Login-LAT-Node—Use this attribute.

Framed-IPX-Network—Use this attribute.

SSO Attribute Key

The key prefix for SSO group value in the SSO attribute.

SSO Attribute Value Override

Enable or disable whether to override the old attribute value with a new value for the same endpoint.

Tertiary Password

The secret key to access the tertiary server.

Tertiary Server

The CN domain name or IP address for the tertiary RADIUS server.

Timeout

How often (in seconds) authentication requests are re-sent .

Use Management Vdom

Enable or disable whether to use the management VDOM to send requests.

Username Case Sensitive

Enable or disable whether user names are case sensitive.

Accounting Server

Additional accounting servers. See Add an accounting server.

Add an accounting server

  1. Click Create New in the Accounting Server table.
  2. In the Id field, enter an identifier for the accounting server.
  3. In the Port field, enter the RADIUS accounting port number.
  4. In the Password field, enter the secret key for the accounting server
  5. In the Server field, enter the server CN domain name or IP address.
  6. In the Source IP field, enter the source IP address for communications to the RADIUS server.
  7. In the Status field, select enable to make the accounting server active.
  8. Select Save to save the settings.

RADIUS authentication

RADIUS authentication

You can add, update, and delete RADIUS authentication settings.

Add RADIUS authentication settings

  1. Select radius from the Auth Server Settings dropdown menu.
  2. Right-click in the RADIUS authentication table and select Create New.
  3. Enter values in the relevant fields. See RADIUS authentication fields.
  4. Select Save.

Update RADIUS authentication settings

  1. Select radius from the Auth Server Settings dropdown menu.
  2. Right-click a RADIUS server and select Edit.
  3. Update the values that you want to change.
  4. Select Save.

Delete RADIUS authentication settings

  1. Select radius from the Auth Server Settings dropdown menu.
  2. Right-click a RADIUS server and select Delete.
  3. Select Yes in the confirmation dialog box to delete the selected server.

RADIUS authentication fields

The Create New Radius Server and Edit Radius Server dialogs contain the following fields:

Settings

Guidelines

Name

Required. The RADIUS server name.

Account All Servers

Enable or disable the sending of accounting messages to all configured servers. The default is disable.

Account Interim Update Interval

The number of seconds between each accounting interim update message.

all User-group

Enable or disable whether this RADIUS server is automatically included in all user groups.

Authentication Type

Authentication methods/protocols permitted for this RADIUS server:

ms_chap—Microsoft Challenge Handshake Authentication Protocol.

ms_chap_v2—Microsoft Challenge Handshake Authentication Protocol version 2.

auto—Use PAP, MSCHAP_v2, and CHAP (in that order).

chap—Challenge Handshake Authentication Protocol.

pap— Password Authentication Protocol.

Class

Class attribute name(s).

H3C Compatibility

Enable or disable compatibility with the H3C, a mechanism that performs security checking for authentication.

NAS-IP

IPv4 address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.

Password Encoding

Password encoding:

auto—Use original password encoding.

ISO-8859-1—Use ISO-8859-1 password encoding.

Password Renewal

Enable or disable password renewal.

Allow Change of Attributes

Enable or disable the overriding of an old attribute value with a new value for the same endpoint.

Radius Port

RADIUS service port number.

Radius based SSO

Enable or disable the RADIUS-based single sign-on feature.

RSSO Context Timeout

Time in seconds before the logged-out user is removed from the “user context list” of logged-on users.

RSSO Endpoint Block Attribute

RADIUS attributes used to block a user:

Login-LAT-Service—Use this attribute.

NAS-IP-Address—Use this attribute.

Callback-Number—Use this attribute.

NAS-Identifier—Use this attribute.

Acct-Multi-Session-Id—Use this attribute.

Login-LAT-Group—Use this attribute.

Reply-Message—Use this attribute.

User-Name—Use this attribute.

Calling-Station-Id—Use this attribute.

Filter-Id—Use this attribute.

Framed-IP-Address—Use this attribute.

Framed-IP-Netmask—Use this attribute.

Login-IP-Host—Use this attribute.

Callback-Id—Use this attribute.

Class—Use this attribute.

Framed-Route—Use this attribute.

Acct-Session-Id—Use this attribute.

Proxy-State—Use this attribute.

Called-Station-Id—Use this attribute.

Framed-AppleTalk-Zone—Use this attribute.

Login-LAT-Node—Use this attribute

Framed-IPX-Network—Use this attribute.

RSSO One IP Address By Endpoint

Enable or disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.

RSSO Flush IP Session

Enable or disable the flushing of user IP sessions on RADIUS accounting Stop messages.

RSSO Log Flags

Events to log:

radiusd-other—Enable this log type.

profile-missing—Enable this log type.

accounting-event—Enable this log type.

protocol-error—Enable this log type.

endpoint-block—Enable this log type.

none—Disable all logging.

accounting-stop-missed—Enable this log type.

RSSO Log Period

How often (in seconds) that group event log messages are generated for dynamic profile events.

RSSO Radius Response

Enable or disable the sending of RADIUS response packets after receiving Start and Stop records.

RSSO Radius Server Port

The UDP port to listen on for RADIUS Start and Stop records.

RSSO Password

The RADIUS secret used by the RADIUS accounting server.

RSSO Validation Request Secret

Enable or disable the validation of the RADIUS request shared secret in the Start or End record.

Secondary Password

The secret key to access the secondary server.

Secondary Server

The CN domain name or IP address for the secondary RADIUS server.

Password

The pre-shared secret key used to access the primary RADIUS server.

Server

The primary RADIUS server CN domain name or IP address.

Source IP

The source IP address for communications to the RADIUS server.

SSO Attribute

RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record:

Login-LAT-Service—Use this attribute.

NAS-IP-Address—Use this attribute.

Callback-Number—Use this attribute.

NAS-Identifier—Use this attribute.

Acct-Multi-Session-Id—Use this attribute.

Login-LAT-Group—Use this attribute.

Reply-Message—Use this attribute.

User-Name—Use this attribute.

Calling-Station-Id—Use this attribute.

Filter-Id—Use this attribute.

Framed-IP-Address—Use this attribute.

Framed-IP-Netmask—Use this attribute.

Login-IP-Host—Use this attribute.

Callback-Id—Use this attribute.

Class—Use this attribute.

Framed-Route—Use this attribute.

Acct-Session-Id—Use this attribute.

Proxy-State—Use this attribute.

Called-Station-Id—Use this attribute.

Framed-AppleTalk-Zone—Use this attribute.

Login-LAT-Node—Use this attribute.

Framed-IPX-Network—Use this attribute.

SSO Attribute Key

The key prefix for SSO group value in the SSO attribute.

SSO Attribute Value Override

Enable or disable whether to override the old attribute value with a new value for the same endpoint.

Tertiary Password

The secret key to access the tertiary server.

Tertiary Server

The CN domain name or IP address for the tertiary RADIUS server.

Timeout

How often (in seconds) authentication requests are re-sent .

Use Management Vdom

Enable or disable whether to use the management VDOM to send requests.

Username Case Sensitive

Enable or disable whether user names are case sensitive.

Accounting Server

Additional accounting servers. See Add an accounting server.

Add an accounting server

  1. Click Create New in the Accounting Server table.
  2. In the Id field, enter an identifier for the accounting server.
  3. In the Port field, enter the RADIUS accounting port number.
  4. In the Password field, enter the secret key for the accounting server
  5. In the Server field, enter the server CN domain name or IP address.
  6. In the Source IP field, enter the source IP address for communications to the RADIUS server.
  7. In the Status field, select enable to make the accounting server active.
  8. Select Save to save the settings.