Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiPortal 7.2.0 Administration Guide
    7.2.0
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.0.15
    6.0.14
    6.0.13
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.3.8
    5.3.7
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.0
    5.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Remote authentication: RADIUS

    Remote authentication: RADIUS

    To configure your RADIUS server:
    1. Add the following vendor-specific attributes to the Fortinet dictionary file:
      Fortinet-Fpc-User-Role
      Fortinet-Fpc-Tenant-Identification

      For example, if you are using FreeRADIUS:

      #
#       Fortinet's VSAs
#

VENDOR        Fortinet                        12356

BEGIN-VENDOR  Fortinet
ATTRIBUTE     Fortinet-Group-Name                  1  string
ATTRIBUTE     Fortinet-Client-IP-Address           2  ipaddr
ATTRIBUTE     Fortinet-Vdom-Name                   3  string
ATTRIBUTE     Fortinet-Client-IPv6-Address         4  octets
ATTRIBUTE     Fortinet-Interface-Name              5  string
ATTRIBUTE     Fortinet-Access-Profile              6  string
ATTRIBUTE     Fortinet-Fpc-User-Role               40 string ###add this
ATTRIBUTE     Fortinet-Fpc-Tenant-Identification   41 string ###add this

#
# Integer Translations
#

END-VENDOR Fortinet
    2. To configure FortiPortal roles in the RADIUS server, use the following vendor-specific attribute. Specify multiple roles by using tab-separated values:
      VENDORATTR	12356	Fortinet-Fpc-User-Role	40	string

      A user will not be able to login to FortiPortal if the roles are not configured on the RADIUS server.

    3. To configure which sites will use RADIUS authentication, use the following vendor-specific attribute. You can specify multiple sites by using tab-separated values. If no sites are specified, users have access to all sites.

      VENDORATTR	12356	Fortinet-Fpc-Tenant-User-Sites	42	string

    4. Specify the customer identification, which is used to map a particular user to a customer profile. The RADIUS server will send one of the domain names specified in the Domains field of the customer settings, in the value of the new VSA.

      VENDORATTR	Fortinet-Fpc-Tenant-Identification	41	string
    To configure FortiPortal:

    1. Go to System > Settings > Authentication.

    2. Configure the settings as follows:

      Field

      Required

      Description

      Authentication Access

      N

      Set to Remote.

      Enable Two-factor Authentication

      N

      Enable or disable two-factor authentication (2FA).

      FortiPortal only supports using the FortiToken Mobile application as the 2FA method. SMS and email are not supported.

      For 2FA, a FortiToken license needs to be applied and registered in the same account where the FortiPortal license is registered.

      Email information is mandatory for 2FA users.

      If the user name is the email and no Tenant Identification Attribute is set, the domain part of the email can be used for tenant identification.

      See Two-factor authentication in FortiPortal example.

      Remote Server

      Y

      Select Radius as the remote server type.

      Remote Server Port

      Y

      Enter the port for the authentication server (default is 443)

      Remote Server IP Address

      Y

      Enter the IP address of the authentication server.

      Remote Server Key

      Y

      Enter the secret key for REST API requests.

      Self Service Portal

      N

      Enter the URL of the RADIUS provider's user self service portal where users can manage their remote account settings, if applicable.

      Domains

      N

      Enter a domain and then press Enter or click on the Create <name> link displayed as you type. The new domain appears in the field.

      Remove domains by clicking the X next to the domain.

      Use this field to specify the domain, URL, or URN for the site administrator. To specify the domain for an organization, see General.

      The site administrator may allow administrative users to be defined in more than one authentication domain.

      Authentication Protocol

      Y

      Required. Select PAP, CHAP, or MSCHAPv2 authentication protocol.

      Site Attribute

      N

      Enter the attribute parameter name that specifies which sites the customer user can access.

      Select a site attribute from the dropdown. By default, Fortinet-Fpc-Tenant-user-sites is available.

      You can select a different value if you define an attribute for a site on the RADIUS server.

      Note: If the Site Attribute is empty, the customer user is assigned all the sites owned by the organization.

      Tenant Identification Attribute

      N

      Enter or select a value that FortiPortal uses under RADIUS to map a user to a specific organization.

      For a RADIUS server, the Tenant Identification Attribute value is a Fortinet Vendor Attribute value. The server will send Fortinet in the authentication response.

      FortiPortal treats the attribute values from either RADIUS or SSO servers equally.

      View/Change Radius Roles

      Y

      Click to map the RADIUS roles with local roles. See Radius roles.

    3. Click Save.

    Previous
    Next

    Remote authentication: RADIUS

    Remote authentication: RADIUS

    To configure your RADIUS server:
    1. Add the following vendor-specific attributes to the Fortinet dictionary file:
      Fortinet-Fpc-User-Role
      Fortinet-Fpc-Tenant-Identification

      For example, if you are using FreeRADIUS:

      #
#       Fortinet's VSAs
#

VENDOR        Fortinet                        12356

BEGIN-VENDOR  Fortinet
ATTRIBUTE     Fortinet-Group-Name                  1  string
ATTRIBUTE     Fortinet-Client-IP-Address           2  ipaddr
ATTRIBUTE     Fortinet-Vdom-Name                   3  string
ATTRIBUTE     Fortinet-Client-IPv6-Address         4  octets
ATTRIBUTE     Fortinet-Interface-Name              5  string
ATTRIBUTE     Fortinet-Access-Profile              6  string
ATTRIBUTE     Fortinet-Fpc-User-Role               40 string ###add this
ATTRIBUTE     Fortinet-Fpc-Tenant-Identification   41 string ###add this

#
# Integer Translations
#

END-VENDOR Fortinet
    2. To configure FortiPortal roles in the RADIUS server, use the following vendor-specific attribute. Specify multiple roles by using tab-separated values:
      VENDORATTR	12356	Fortinet-Fpc-User-Role	40	string

      A user will not be able to login to FortiPortal if the roles are not configured on the RADIUS server.

    3. To configure which sites will use RADIUS authentication, use the following vendor-specific attribute. You can specify multiple sites by using tab-separated values. If no sites are specified, users have access to all sites.

      VENDORATTR	12356	Fortinet-Fpc-Tenant-User-Sites	42	string

    4. Specify the customer identification, which is used to map a particular user to a customer profile. The RADIUS server will send one of the domain names specified in the Domains field of the customer settings, in the value of the new VSA.

      VENDORATTR	Fortinet-Fpc-Tenant-Identification	41	string
    To configure FortiPortal:

    1. Go to System > Settings > Authentication.

    2. Configure the settings as follows:

      Field

      Required

      Description

      Authentication Access

      N

      Set to Remote.

      Enable Two-factor Authentication

      N

      Enable or disable two-factor authentication (2FA).

      FortiPortal only supports using the FortiToken Mobile application as the 2FA method. SMS and email are not supported.

      For 2FA, a FortiToken license needs to be applied and registered in the same account where the FortiPortal license is registered.

      Email information is mandatory for 2FA users.

      If the user name is the email and no Tenant Identification Attribute is set, the domain part of the email can be used for tenant identification.

      See Two-factor authentication in FortiPortal example.

      Remote Server

      Y

      Select Radius as the remote server type.

      Remote Server Port

      Y

      Enter the port for the authentication server (default is 443)

      Remote Server IP Address

      Y

      Enter the IP address of the authentication server.

      Remote Server Key

      Y

      Enter the secret key for REST API requests.

      Self Service Portal

      N

      Enter the URL of the RADIUS provider's user self service portal where users can manage their remote account settings, if applicable.

      Domains

      N

      Enter a domain and then press Enter or click on the Create <name> link displayed as you type. The new domain appears in the field.

      Remove domains by clicking the X next to the domain.

      Use this field to specify the domain, URL, or URN for the site administrator. To specify the domain for an organization, see General.

      The site administrator may allow administrative users to be defined in more than one authentication domain.

      Authentication Protocol

      Y

      Required. Select PAP, CHAP, or MSCHAPv2 authentication protocol.

      Site Attribute

      N

      Enter the attribute parameter name that specifies which sites the customer user can access.

      Select a site attribute from the dropdown. By default, Fortinet-Fpc-Tenant-user-sites is available.

      You can select a different value if you define an attribute for a site on the RADIUS server.

      Note: If the Site Attribute is empty, the customer user is assigned all the sites owned by the organization.

      Tenant Identification Attribute

      N

      Enter or select a value that FortiPortal uses under RADIUS to map a user to a specific organization.

      For a RADIUS server, the Tenant Identification Attribute value is a Fortinet Vendor Attribute value. The server will send Fortinet in the authentication response.

      FortiPortal treats the attribute values from either RADIUS or SSO servers equally.

      View/Change Radius Roles

      Y

      Click to map the RADIUS roles with local roles. See Radius roles.

    3. Click Save.

    Previous
    Next