Fortinet white logo
Fortinet white logo

Administration Guide

Remote authentication: RADIUS

Remote authentication: RADIUS

To configure your RADIUS server:
  1. Add the following vendor-specific attributes to the Fortinet dictionary file:
    Fortinet-Fpc-User-Role
    Fortinet-Fpc-Tenant-Identification
    Fortinet-Fpc-Tenant-User-Sites

    For example, if you are using FreeRADIUS:

    #
    #       Fortinet's VSAs
    #
    
    VENDOR        Fortinet                        12356
    
    BEGIN-VENDOR  Fortinet
    ATTRIBUTE     Fortinet-Group-Name                  1  string
    ATTRIBUTE     Fortinet-Client-IP-Address           2  ipaddr
    ATTRIBUTE     Fortinet-Vdom-Name                   3  string
    ATTRIBUTE     Fortinet-Client-IPv6-Address         4  octets
    ATTRIBUTE     Fortinet-Interface-Name              5  string
    ATTRIBUTE     Fortinet-Access-Profile              6  string
    ATTRIBUTE     Fortinet-Fpc-User-Role               40 string ###add this
    ATTRIBUTE     Fortinet-Fpc-Tenant-Identification   41 string ###add this
    ATTRIBUTE     Fortinet-Fpc-Tenant-User-Sites       42 string ###add this
    
    #
    # Integer Translations
    #
    
    END-VENDOR Fortinet
    Note

    In the RADIUS dictionary, FortiAuthenticator uses vendor-specific attribute Fortinet-Tenant-Identification, designated as attribute number 41. This attribute is functionally equivalent to Fortinet-Fpc-Tenant-Identification.

    The attribute names serve as human-readable labels to describe the purpose or function of the attribute. The actual data transmission and interpretation rely on the associated attribute number and vendor identification.

  2. To configure FortiPortal roles in the RADIUS server, use the following vendor-specific attribute. Specify multiple roles by using tab-separated values:
    VENDORATTR	12356	Fortinet-Fpc-User-Role	40	string

    A user will not be able to login to FortiPortal if the roles are not configured on the RADIUS server.

  3. To configure which sites will use RADIUS authentication, use the following vendor-specific attribute. You can specify multiple sites by using tab-separated values. If no sites are specified, users have access to all sites.

    VENDORATTR	12356	Fortinet-Fpc-Tenant-User-Sites	42	string
  4. Specify the customer identification, which is used to map a particular user to a customer profile. The RADIUS server will send one of the domain names specified in the Domains field of the customer settings, in the value of the new VSA.

    VENDORATTR	Fortinet-Fpc-Tenant-Identification	41	string
To configure FortiPortal:
  1. Go to System > Settings > Authentication.

  2. Configure the settings as follows:

    Field

    Required

    Description

    Authentication Access

    N

    Set to Remote.

    Enable Two-factor Authentication

    N

    Enable or disable two-factor authentication (2FA).

    FortiPortal only supports using the FortiToken Mobile application as the 2FA method. SMS and email are not supported.

    For 2FA, a FortiToken license needs to be applied and registered in the same account where the FortiPortal license is registered.

    Email information is mandatory for 2FA users.

    If the user name is the email and no Tenant Identification Attribute is set, the domain part of the email can be used for tenant identification.

    See Two-factor authentication in FortiPortal example.

    Remote Server

    Y

    Select Radius as the remote server type.

    Remote Server Port

    Y

    Enter the port for the authentication server (default is 443)

    Remote Server IP Address

    Y

    Enter the IP address of the authentication server.

    Remote Server Key

    Y

    Enter the secret key for REST API requests.

    Self Service Portal

    N

    Enter the URL of the RADIUS provider's user self service portal where users can manage their remote account settings, if applicable.

    Domains

    N

    Enter a domain and then press Enter or click on the Create <name> link displayed as you type. The new domain appears in the field.

    Remove domains by clicking the X next to the domain.

    Use this field to specify the domain, URL, or URN for the site administrator. To specify the domain for an organization, see General.

    The site administrator may allow administrative users to be defined in more than one authentication domain.

    Authentication Protocol

    Y

    Required. Select PAP, CHAP, or MSCHAPv2 authentication protocol.

    Site Attribute

    N

    Enter the attribute parameter name that specifies which sites the customer user can access.

    Select a site attribute from the dropdown. By default, Fortinet-Fpc-Tenant-user-sites is available.

    You can select a different value if you define an attribute for a site on the RADIUS server.

    Note: If the Site Attribute is empty, the customer user is assigned all the sites owned by the organization.

    Tenant Identification Attribute

    N

    Enter or select a value that FortiPortal uses under RADIUS to map a user to a specific organization.

    For a RADIUS server, the Tenant Identification Attribute value is a Fortinet Vendor Attribute value. The server will send Fortinet in the authentication response.

    FortiPortal treats the attribute values from either RADIUS or SSO servers equally.

    View/Change Radius Roles

    Y

    Click to map the RADIUS roles with local roles. See Radius roles.

  3. Click Save.

Remote authentication: RADIUS

Remote authentication: RADIUS

To configure your RADIUS server:
  1. Add the following vendor-specific attributes to the Fortinet dictionary file:
    Fortinet-Fpc-User-Role
    Fortinet-Fpc-Tenant-Identification
    Fortinet-Fpc-Tenant-User-Sites

    For example, if you are using FreeRADIUS:

    #
    #       Fortinet's VSAs
    #
    
    VENDOR        Fortinet                        12356
    
    BEGIN-VENDOR  Fortinet
    ATTRIBUTE     Fortinet-Group-Name                  1  string
    ATTRIBUTE     Fortinet-Client-IP-Address           2  ipaddr
    ATTRIBUTE     Fortinet-Vdom-Name                   3  string
    ATTRIBUTE     Fortinet-Client-IPv6-Address         4  octets
    ATTRIBUTE     Fortinet-Interface-Name              5  string
    ATTRIBUTE     Fortinet-Access-Profile              6  string
    ATTRIBUTE     Fortinet-Fpc-User-Role               40 string ###add this
    ATTRIBUTE     Fortinet-Fpc-Tenant-Identification   41 string ###add this
    ATTRIBUTE     Fortinet-Fpc-Tenant-User-Sites       42 string ###add this
    
    #
    # Integer Translations
    #
    
    END-VENDOR Fortinet
    Note

    In the RADIUS dictionary, FortiAuthenticator uses vendor-specific attribute Fortinet-Tenant-Identification, designated as attribute number 41. This attribute is functionally equivalent to Fortinet-Fpc-Tenant-Identification.

    The attribute names serve as human-readable labels to describe the purpose or function of the attribute. The actual data transmission and interpretation rely on the associated attribute number and vendor identification.

  2. To configure FortiPortal roles in the RADIUS server, use the following vendor-specific attribute. Specify multiple roles by using tab-separated values:
    VENDORATTR	12356	Fortinet-Fpc-User-Role	40	string

    A user will not be able to login to FortiPortal if the roles are not configured on the RADIUS server.

  3. To configure which sites will use RADIUS authentication, use the following vendor-specific attribute. You can specify multiple sites by using tab-separated values. If no sites are specified, users have access to all sites.

    VENDORATTR	12356	Fortinet-Fpc-Tenant-User-Sites	42	string
  4. Specify the customer identification, which is used to map a particular user to a customer profile. The RADIUS server will send one of the domain names specified in the Domains field of the customer settings, in the value of the new VSA.

    VENDORATTR	Fortinet-Fpc-Tenant-Identification	41	string
To configure FortiPortal:
  1. Go to System > Settings > Authentication.

  2. Configure the settings as follows:

    Field

    Required

    Description

    Authentication Access

    N

    Set to Remote.

    Enable Two-factor Authentication

    N

    Enable or disable two-factor authentication (2FA).

    FortiPortal only supports using the FortiToken Mobile application as the 2FA method. SMS and email are not supported.

    For 2FA, a FortiToken license needs to be applied and registered in the same account where the FortiPortal license is registered.

    Email information is mandatory for 2FA users.

    If the user name is the email and no Tenant Identification Attribute is set, the domain part of the email can be used for tenant identification.

    See Two-factor authentication in FortiPortal example.

    Remote Server

    Y

    Select Radius as the remote server type.

    Remote Server Port

    Y

    Enter the port for the authentication server (default is 443)

    Remote Server IP Address

    Y

    Enter the IP address of the authentication server.

    Remote Server Key

    Y

    Enter the secret key for REST API requests.

    Self Service Portal

    N

    Enter the URL of the RADIUS provider's user self service portal where users can manage their remote account settings, if applicable.

    Domains

    N

    Enter a domain and then press Enter or click on the Create <name> link displayed as you type. The new domain appears in the field.

    Remove domains by clicking the X next to the domain.

    Use this field to specify the domain, URL, or URN for the site administrator. To specify the domain for an organization, see General.

    The site administrator may allow administrative users to be defined in more than one authentication domain.

    Authentication Protocol

    Y

    Required. Select PAP, CHAP, or MSCHAPv2 authentication protocol.

    Site Attribute

    N

    Enter the attribute parameter name that specifies which sites the customer user can access.

    Select a site attribute from the dropdown. By default, Fortinet-Fpc-Tenant-user-sites is available.

    You can select a different value if you define an attribute for a site on the RADIUS server.

    Note: If the Site Attribute is empty, the customer user is assigned all the sites owned by the organization.

    Tenant Identification Attribute

    N

    Enter or select a value that FortiPortal uses under RADIUS to map a user to a specific organization.

    For a RADIUS server, the Tenant Identification Attribute value is a Fortinet Vendor Attribute value. The server will send Fortinet in the authentication response.

    FortiPortal treats the attribute values from either RADIUS or SSO servers equally.

    View/Change Radius Roles

    Y

    Click to map the RADIUS roles with local roles. See Radius roles.

  3. Click Save.