Remote authentication: RADIUS
To configure your RADIUS server:
- Add the following vendor-specific attributes to the Fortinet dictionary file:
Fortinet-Fpc-User-Role
Fortinet-Fpc-Tenant-Identification
Fortinet-Fpc-Tenant-User-Sites
For example, if you are using FreeRADIUS:
# # Fortinet's VSAs # VENDOR Fortinet 12356 BEGIN-VENDOR Fortinet ATTRIBUTE Fortinet-Group-Name 1 string ATTRIBUTE Fortinet-Client-IP-Address 2 ipaddr ATTRIBUTE Fortinet-Vdom-Name 3 string ATTRIBUTE Fortinet-Client-IPv6-Address 4 octets ATTRIBUTE Fortinet-Interface-Name 5 string ATTRIBUTE Fortinet-Access-Profile 6 string ATTRIBUTE Fortinet-Fpc-User-Role 40 string ###add this ATTRIBUTE Fortinet-Fpc-Tenant-Identification 41 string ###add this ATTRIBUTE Fortinet-Fpc-Tenant-User-Sites 42 string ###add this # # Integer Translations # END-VENDOR Fortinet
In the RADIUS dictionary, FortiAuthenticator uses vendor-specific attribute
Fortinet-Tenant-Identification
, designated as attribute number 41. This attribute is functionally equivalent to Fortinet-Fpc-Tenant-Identification.The attribute names serve as human-readable labels to describe the purpose or function of the attribute. The actual data transmission and interpretation rely on the associated attribute number and vendor identification.
- To configure FortiPortal roles in the RADIUS server, use the following vendor-specific attribute. Specify multiple roles by using tab-separated values:
VENDORATTR 12356 Fortinet-Fpc-User-Role 40 string
A user will not be able to login to FortiPortal if the roles are not configured on the RADIUS server.
-
To configure which sites will use RADIUS authentication, use the following vendor-specific attribute. You can specify multiple sites by using tab-separated values. If no sites are specified, users have access to all sites.
VENDORATTR 12356 Fortinet-Fpc-Tenant-User-Sites 42 string
-
Specify the customer identification, which is used to map a particular user to a customer profile. The RADIUS server will send one of the domain names specified in the Domains field of the customer settings, in the value of the new VSA.
VENDORATTR Fortinet-Fpc-Tenant-Identification 41 string
To configure FortiPortal:
-
Go to System > Settings > Authentication.
-
Configure the settings as follows:
Field
Required
Description
Authentication Access
N
Set to Remote.
N
Enable or disable two-factor authentication (2FA).
FortiPortal only supports using the FortiToken Mobile application as the 2FA method. SMS and email are not supported.
For 2FA, a FortiToken license needs to be applied and registered in the same account where the FortiPortal license is registered.
Email information is mandatory for 2FA users.
If the user name is the email and no Tenant Identification Attribute is set, the domain part of the email can be used for tenant identification.
Remote Server
Y
Select Radius as the remote server type.
Remote Server Port
Y
Enter the port for the authentication server (default is 443)
Remote Server IP Address
Y
Enter the IP address of the authentication server.
Remote Server Key
Y
Enter the secret key for REST API requests.
Self Service Portal
N
Enter the URL of the RADIUS provider's user self service portal where users can manage their remote account settings, if applicable.
Domains
N
Enter a domain and then press Enter or click on the Create <name> link displayed as you type. The new domain appears in the field.
Remove domains by clicking the X next to the domain.
Use this field to specify the domain, URL, or URN for the site administrator. To specify the domain for an organization, see General.
The site administrator may allow administrative users to be defined in more than one authentication domain.
Authentication Protocol
Y
Required. Select PAP, CHAP, or MSCHAPv2 authentication protocol.
Site Attribute
N
Enter the attribute parameter name that specifies which sites the customer user can access.
Select a site attribute from the dropdown. By default,
Fortinet-Fpc-Tenant-user-sites
is available.You can select a different value if you define an attribute for a site on the RADIUS server.
Note: If the Site Attribute is empty, the customer user is assigned all the sites owned by the organization.
Tenant Identification Attribute
N
Enter or select a value that FortiPortal uses under RADIUS to map a user to a specific organization.
For a RADIUS server, the Tenant Identification Attribute value is a Fortinet Vendor Attribute value. The server will send
Fortinet
in the authentication response.FortiPortal treats the attribute values from either RADIUS or SSO servers equally.
View/Change Radius Roles
Y
Click to map the RADIUS roles with local roles. See Radius roles.
-
Click Save.