Fortinet black logo

Administration Guide

RADIUS server configuration

RADIUS server configuration

Configure the following in the RADIUS server:

  1. Add the following vendor-specific attributes to the Fortinet dictionary file:

    Fortinet-Fpc-User-Role

    Fortinet-Fpc-Tenant-Identification

    For example, if you are using FreeRADIUS:

    #
    #       Fortinet's VSAs
    #
    
    VENDOR        Fortinet                        12356
    
    BEGIN-VENDOR  Fortinet
    ATTRIBUTE     Fortinet-Group-Name                  1  string
    ATTRIBUTE     Fortinet-Client-IP-Address           2  ipaddr
    ATTRIBUTE     Fortinet-Vdom-Name                   3  string
    ATTRIBUTE     Fortinet-Client-IPv6-Address         4  octets
    ATTRIBUTE     Fortinet-Interface-Name              5  string
    ATTRIBUTE     Fortinet-Access-Profile              6  string
    ATTRIBUTE     Fortinet-Fpc-User-Role               40 string ###add this
    ATTRIBUTE     Fortinet-Fpc-Tenant-Identification   41 string ###add this
    
    #
    # Integer Translations
    #
    
    END-VENDOR Fortinet
  2. To configure FortiPortal roles in the RADIUS server, use the following vendor-specific attribute. You can specify multiple roles by using comma-separated values:

    VENDORATTR 12356 Fortinet-Fpc-User-Role 40 string

    A user will not be able to login to FortiPortal if the roles are not configured on the RADIUS server.

  3. To configure which sites will use RADIUS authentication, use the following vendor-specific attribute. You can specify multiple sites by using comma-separated values. If no sites are specified, users have access to all sites.

    VENDORATTR 12356 Fortinet-Fpc-Tenant-User-Sites 42 string

  4. Specify the customer identification, which is used to map a particular user to a customer profile. The RADIUS server will send one of the domain names specified in the Domains field of the customer settings, in the value of the new VSA.

    VENDORATTR Fortinet-Fpc-Tenant-Identification 41 string

RADIUS Roles

Selecting the View Radius Roles button on the User Authentication pane displays the RADIUS Roles window. Here, you can configure the mapping between FortiPortal roles and RADIUS roles. For each RADIUS role, the window displays the role type (Service Provider or Customer) and a list of FortiPortal roles that map to the RADIUS role.

The RADIUS Roles window contains the following actions:

  • Add—open a dialog to add a RADIUS role (see immediately below)
  • Search—enter text to search for RADIUS role names containing that text
  • Show x entries—sets the number of entries that are displayed at once (10, 25, 30, or 50).
  • Sort—allows you to sort columns in ascending or descending order.

When you scroll over a entry in the RADIUS role list, the following icons appear in the Action column:

  • Edit—opens a dialog to edit an existing RADIUS role (see below)
  • Delete—deletes the selected RADIUS role

The Add Radius Role and Edit Radius Role dialogs contain the following fields:

Settings

Guidelines

Role Name

Names the RADIUS role. The name must match a role name in the RADIUS server.

Role Type

Service Provider or Customer

Available FPC Roles:

Lists of available FortiPortal roles

Use the search box to filter the choices available.

Selected FPC Roles

Selects the FortiPortal roles to associate with this RADIUS role

Use the search box to filter your selected choices.

RADIUS server configuration

Configure the following in the RADIUS server:

  1. Add the following vendor-specific attributes to the Fortinet dictionary file:

    Fortinet-Fpc-User-Role

    Fortinet-Fpc-Tenant-Identification

    For example, if you are using FreeRADIUS:

    #
    #       Fortinet's VSAs
    #
    
    VENDOR        Fortinet                        12356
    
    BEGIN-VENDOR  Fortinet
    ATTRIBUTE     Fortinet-Group-Name                  1  string
    ATTRIBUTE     Fortinet-Client-IP-Address           2  ipaddr
    ATTRIBUTE     Fortinet-Vdom-Name                   3  string
    ATTRIBUTE     Fortinet-Client-IPv6-Address         4  octets
    ATTRIBUTE     Fortinet-Interface-Name              5  string
    ATTRIBUTE     Fortinet-Access-Profile              6  string
    ATTRIBUTE     Fortinet-Fpc-User-Role               40 string ###add this
    ATTRIBUTE     Fortinet-Fpc-Tenant-Identification   41 string ###add this
    
    #
    # Integer Translations
    #
    
    END-VENDOR Fortinet
  2. To configure FortiPortal roles in the RADIUS server, use the following vendor-specific attribute. You can specify multiple roles by using comma-separated values:

    VENDORATTR 12356 Fortinet-Fpc-User-Role 40 string

    A user will not be able to login to FortiPortal if the roles are not configured on the RADIUS server.

  3. To configure which sites will use RADIUS authentication, use the following vendor-specific attribute. You can specify multiple sites by using comma-separated values. If no sites are specified, users have access to all sites.

    VENDORATTR 12356 Fortinet-Fpc-Tenant-User-Sites 42 string

  4. Specify the customer identification, which is used to map a particular user to a customer profile. The RADIUS server will send one of the domain names specified in the Domains field of the customer settings, in the value of the new VSA.

    VENDORATTR Fortinet-Fpc-Tenant-Identification 41 string

RADIUS Roles

Selecting the View Radius Roles button on the User Authentication pane displays the RADIUS Roles window. Here, you can configure the mapping between FortiPortal roles and RADIUS roles. For each RADIUS role, the window displays the role type (Service Provider or Customer) and a list of FortiPortal roles that map to the RADIUS role.

The RADIUS Roles window contains the following actions:

  • Add—open a dialog to add a RADIUS role (see immediately below)
  • Search—enter text to search for RADIUS role names containing that text
  • Show x entries—sets the number of entries that are displayed at once (10, 25, 30, or 50).
  • Sort—allows you to sort columns in ascending or descending order.

When you scroll over a entry in the RADIUS role list, the following icons appear in the Action column:

  • Edit—opens a dialog to edit an existing RADIUS role (see below)
  • Delete—deletes the selected RADIUS role

The Add Radius Role and Edit Radius Role dialogs contain the following fields:

Settings

Guidelines

Role Name

Names the RADIUS role. The name must match a role name in the RADIUS server.

Role Type

Service Provider or Customer

Available FPC Roles:

Lists of available FortiPortal roles

Use the search box to filter the choices available.

Selected FPC Roles

Selects the FortiPortal roles to associate with this RADIUS role

Use the search box to filter your selected choices.