Fortinet white logo
Fortinet white logo

CLI Reference

config user radius

config user radius

Configure RADIUS server entries.

config user radius
    Description: Configure RADIUS server entries.
    edit <name>
        set server {string}
        set secret {password}
        set secondary-server {string}
        set secondary-secret {password}
        set tertiary-server {string}
        set tertiary-secret {password}
        set timeout {integer}
        set status-ttl {integer}
        set all-usergroup [disable|enable]
        set use-management-vdom [enable|disable]
        set nas-ip {ipv4-address}
        set nas-id-type [legacy|custom|...]
        set call-station-id-type [legacy|IP|...]
        set nas-id {string}
        set acct-interim-interval {integer}
        set radius-coa [enable|disable]
        set radius-port {integer}
        set h3c-compatibility [enable|disable]
        set auth-type [auto|ms_chap_v2|...]
        set source-ip {string}
        set username-case-sensitive [enable|disable]
        set group-override-attr-type [filter-Id|class]
        set class <name1>, <name2>, ...
        set password-renewal [enable|disable]
        set password-encoding [auto|ISO-8859-1]
        set mac-username-delimiter [hyphen|single-hyphen|...]
        set mac-password-delimiter [hyphen|single-hyphen|...]
        set mac-case [uppercase|lowercase]
        set acct-all-servers [enable|disable]
        set switch-controller-acct-fast-framedip-detect {integer}
        set interface-select-method [auto|specify]
        set interface {string}
        set switch-controller-service-type {option1}, {option2}, ...
        set transport-protocol [udp|tcp|...]
        set tls-min-proto-version [default|SSLv3|...]
        set ca-cert {string}
        set client-cert {string}
        set server-identity-check [enable|disable]
        set account-key-processing [same|strip]
        set account-key-cert-field [othername|rfc822name|...]
        set rsso [enable|disable]
        set rsso-radius-server-port {integer}
        set rsso-radius-response [enable|disable]
        set rsso-validate-request-secret [enable|disable]
        set rsso-secret {password}
        set rsso-endpoint-attribute [User-Name|NAS-IP-Address|...]
        set rsso-endpoint-block-attribute [User-Name|NAS-IP-Address|...]
        set sso-attribute [User-Name|NAS-IP-Address|...]
        set sso-attribute-key {string}
        set sso-attribute-value-override [enable|disable]
        set rsso-context-timeout {integer}
        set rsso-log-period {integer}
        set rsso-log-flags {option1}, {option2}, ...
        set rsso-flush-ip-session [enable|disable]
        set rsso-ep-one-ip-only [enable|disable]
        set delimiter [plus|comma]
        config accounting-server
            Description: Additional accounting servers.
            edit <id>
                set status [enable|disable]
                set server {string}
                set secret {password}
                set port {integer}
                set source-ip {string}
                set interface-select-method [auto|specify]
                set interface {string}
            next
        end
    next
end

config user radius

Parameter

Description

Type

Size

Default

name

RADIUS server entry name.

string

Maximum length: 35

server

Primary RADIUS server CN domain name or IP address.

string

Maximum length: 63

secret

Pre-shared secret key used to access the primary RADIUS server.

password

Not Specified

secondary-server

Secondary RADIUS CN domain name or IP address.

string

Maximum length: 63

secondary-secret

Secret key to access the secondary server.

password

Not Specified

tertiary-server

Tertiary RADIUS CN domain name or IP address.

string

Maximum length: 63

tertiary-secret

Secret key to access the tertiary server.

password

Not Specified

timeout

Time in seconds to retry connecting server.

integer

Minimum value: 1 Maximum value: 300

5

status-ttl

Time for which server reachability is cached so that when a server is unreachable, it will not be retried for at least this period of time.

integer

Minimum value: 0 Maximum value: 600

300

all-usergroup

Enable/disable automatically including this RADIUS server in all user groups.

option

-

disable

Option

Description

disable

Do not automatically include this server in a user group.

enable

Include this RADIUS server in every user group.

use-management-vdom

Enable/disable using management VDOM to send requests.

option

-

disable

Option

Description

enable

Send requests using the management VDOM.

disable

Send requests using the current VDOM.

nas-ip

IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.

ipv4-address

Not Specified

0.0.0.0

nas-id-type

NAS identifier type configuration.

option

-

legacy

Option

Description

legacy

NAS-ID value is the value previously used by each daemon.

custom

NAS-ID value is customized.

hostname

NAS-ID value is hostname or HA group name if applicable.

call-station-id-type

Calling & Called station identifier type configuration , this option is not available for 802.1x authentication.

option

-

legacy

Option

Description

legacy

Calling & Called station identifier is the value previously used by each daemon.

IP

Calling & Called station identifier is the value of IP address.

MAC

Calling & Called station identifier is the value of MAC address.

nas-id

Custom NAS identifier.

string

Maximum length: 255

acct-interim-interval

Time in seconds between each accounting interim update message.

integer

Minimum value: 60 Maximum value: 86400

0

radius-coa

Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated.

option

-

disable

Option

Description

enable

Enable RADIUS CoA.

disable

Disable RADIUS CoA.

radius-port

RADIUS service port number.

integer

Minimum value: 0 Maximum value: 65535

0

h3c-compatibility

Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication.

option

-

disable

Option

Description

enable

Enable H3C compatibility.

disable

Disable H3C compatibility.

auth-type

Authentication methods/protocols permitted for this RADIUS server.

option

-

auto

Option

Description

auto

Use PAP, MSCHAP_v2, and CHAP (in that order).

ms_chap_v2

Microsoft Challenge Handshake Authentication Protocol version 2.

ms_chap

Microsoft Challenge Handshake Authentication Protocol.

chap

Challenge Handshake Authentication Protocol.

pap

Password Authentication Protocol.

source-ip

Source IP address for communications to the RADIUS server.

string

Maximum length: 63

username-case-sensitive

Enable/disable case sensitive user names.

option

-

disable

Option

Description

enable

Enable username case-sensitive.

disable

Disable username case-sensitive.

group-override-attr-type

RADIUS attribute type to override user group information.

option

-

Option

Description

filter-Id

Filter-Id

class

Class

class <name>

Class attribute name(s).

Class name.

string

Maximum length: 79

password-renewal

Enable/disable password renewal.

option

-

enable

Option

Description

enable

Enable password renewal.

disable

Disable password renewal.

password-encoding

Password encoding.

option

-

auto

Option

Description

auto

Use original password encoding.

ISO-8859-1

Use ISO-8859-1 password encoding.

mac-username-delimiter

MAC authentication username delimiter.

option

-

hyphen

Option

Description

hyphen

Use hyphen as delimiter for MAC authentication username.

single-hyphen

Use single hyphen as delimiter for MAC authentication username.

colon

Use colon as delimiter for MAC authentication username.

none

No delimiter for MAC authentication username.

mac-password-delimiter

MAC authentication password delimiter.

option

-

hyphen

Option

Description

hyphen

Use hyphen as delimiter for MAC authentication password.

single-hyphen

Use single hyphen as delimiter for MAC authentication password.

colon

Use colon as delimiter for MAC authentication password.

none

No delimiter for MAC authentication password.

mac-case

MAC authentication case.

option

-

lowercase

Option

Description

uppercase

Use uppercase MAC.

lowercase

Use lowercase MAC.

acct-all-servers

Enable/disable sending of accounting messages to all configured servers.

option

-

disable

Option

Description

enable

Send accounting messages to all configured servers.

disable

Send accounting message only to servers that are confirmed to be reachable.

switch-controller-acct-fast-framedip-detect

Switch controller accounting message Framed-IP detection from DHCP snooping.

integer

Minimum value: 2 Maximum value: 600

2

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

switch-controller-service-type

RADIUS service type.

option

-

Option

Description

login

User should be connected to a host.

framed

User use Framed Protocol.

callback-login

User disconnected and called back.

callback-framed

User disconnected and called back, then a Framed Protocol.

outbound

User granted access to outgoing devices.

administrative

User granted access to the administrative unsigned interface.

nas-prompt

User provided a command prompt on the NAS.

authenticate-only

Authentication requested, and no auth info needs to be returned.

callback-nas-prompt

User disconnected and called back, then provided a command prompt.

call-check

Used by the NAS in an Access-Request packet, Access-Accept to answer the call.

callback-administrative

User disconnected and called back, granted access to the admin unsigned interface.

transport-protocol

Transport protocol to be used.

option

-

udp

Option

Description

udp

UDP.

tcp

TCP.

tls

TLS over TCP.

tls-min-proto-version

Minimum supported protocol version for TLS connections.

option

-

default

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

TLSv1-3

TLSv1.3.

ca-cert

CA of server to trust under TLS.

string

Maximum length: 79

client-cert

Client certificate to use under TLS.

string

Maximum length: 35

server-identity-check

Enable/disable RADIUS server identity check (verify server domain name/IP address against the server certificate).

option

-

enable

Option

Description

enable

Enable server identity check.

disable

Disable server identity check.

account-key-processing

Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity.

option

-

same

Option

Description

same

Same as subject identity field.

strip

Strip domain string from subject identity field.

account-key-cert-field

Define subject identity field in certificate for user access right checking.

option

-

othername

Option

Description

othername

Other name in SAN.

rfc822name

RFC822 email address in SAN.

dnsname

DNS name in SAN.

cn

CN in subject.

rsso

Enable/disable RADIUS based single sign on feature.

option

-

disable

Option

Description

enable

Enable RADIUS based single sign on feature.

disable

Disable RADIUS based single sign on feature.

rsso-radius-server-port

UDP port to listen on for RADIUS Start and Stop records.

integer

Minimum value: 0 Maximum value: 65535

1813

rsso-radius-response

Enable/disable sending RADIUS response packets after receiving Start and Stop records.

option

-

disable

Option

Description

enable

Enable sending RADIUS response packets.

disable

Disable sending RADIUS response packets.

rsso-validate-request-secret

Enable/disable validating the RADIUS request shared secret in the Start or End record.

option

-

disable

Option

Description

enable

Enable validating RADIUS request shared secret.

disable

Disable validating RADIUS request shared secret.

rsso-secret

RADIUS secret used by the RADIUS accounting server.

password

Not Specified

rsso-endpoint-attribute

RADIUS attributes used to extract the user end point identifier from the RADIUS Start record.

option

-

Calling-Station-Id

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

rsso-endpoint-block-attribute

RADIUS attributes used to block a user.

option

-

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

sso-attribute

RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record.

option

-

Class

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

sso-attribute-key

Key prefix for SSO group value in the SSO attribute.

string

Maximum length: 35

sso-attribute-value-override

Enable/disable override old attribute value with new value for the same endpoint.

option

-

enable

Option

Description

enable

Enable override old attribute value with new value for the same endpoint.

disable

Disable override old attribute value with new value for the same endpoint.

rsso-context-timeout

Time in seconds before the logged out user is removed from the "user context list" of logged on users.

integer

Minimum value: 0 Maximum value: 4294967295

28800

rsso-log-period

Time interval in seconds that group event log messages will be generated for dynamic profile events.

integer

Minimum value: 0 Maximum value: 4294967295

0

rsso-log-flags

Events to log.

option

-

protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other

Option

Description

protocol-error

Enable this log type.

profile-missing

Enable this log type.

accounting-stop-missed

Enable this log type.

accounting-event

Enable this log type.

endpoint-block

Enable this log type.

radiusd-other

Enable this log type.

none

Disable all logging.

rsso-flush-ip-session

Enable/disable flushing user IP sessions on RADIUS accounting Stop messages.

option

-

disable

Option

Description

enable

Enable flush user IP sessions on RADIUS accounting stop.

disable

Disable flush user IP sessions on RADIUS accounting stop.

rsso-ep-one-ip-only

Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.

option

-

disable

Option

Description

enable

Enable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.

disable

Disable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.

delimiter

Configure delimiter to be used for separating profile group names in the SSO attribute.

option

-

plus

Option

Description

plus

Plus character "+".

comma

Comma character ",".

config accounting-server

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

status

Status.

option

-

disable

Option

Description

enable

Log to remote syslog server.

disable

Do not log to remote syslog server.

server

Server CN domain name or IP address.

string

Maximum length: 63

secret

Secret key.

password

Not Specified

port

RADIUS accounting port number.

integer

Minimum value: 0 Maximum value: 65535

0

source-ip

Source IP address for communications to the RADIUS server.

string

Maximum length: 63

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

config user radius

config user radius

Configure RADIUS server entries.

config user radius
    Description: Configure RADIUS server entries.
    edit <name>
        set server {string}
        set secret {password}
        set secondary-server {string}
        set secondary-secret {password}
        set tertiary-server {string}
        set tertiary-secret {password}
        set timeout {integer}
        set status-ttl {integer}
        set all-usergroup [disable|enable]
        set use-management-vdom [enable|disable]
        set nas-ip {ipv4-address}
        set nas-id-type [legacy|custom|...]
        set call-station-id-type [legacy|IP|...]
        set nas-id {string}
        set acct-interim-interval {integer}
        set radius-coa [enable|disable]
        set radius-port {integer}
        set h3c-compatibility [enable|disable]
        set auth-type [auto|ms_chap_v2|...]
        set source-ip {string}
        set username-case-sensitive [enable|disable]
        set group-override-attr-type [filter-Id|class]
        set class <name1>, <name2>, ...
        set password-renewal [enable|disable]
        set password-encoding [auto|ISO-8859-1]
        set mac-username-delimiter [hyphen|single-hyphen|...]
        set mac-password-delimiter [hyphen|single-hyphen|...]
        set mac-case [uppercase|lowercase]
        set acct-all-servers [enable|disable]
        set switch-controller-acct-fast-framedip-detect {integer}
        set interface-select-method [auto|specify]
        set interface {string}
        set switch-controller-service-type {option1}, {option2}, ...
        set transport-protocol [udp|tcp|...]
        set tls-min-proto-version [default|SSLv3|...]
        set ca-cert {string}
        set client-cert {string}
        set server-identity-check [enable|disable]
        set account-key-processing [same|strip]
        set account-key-cert-field [othername|rfc822name|...]
        set rsso [enable|disable]
        set rsso-radius-server-port {integer}
        set rsso-radius-response [enable|disable]
        set rsso-validate-request-secret [enable|disable]
        set rsso-secret {password}
        set rsso-endpoint-attribute [User-Name|NAS-IP-Address|...]
        set rsso-endpoint-block-attribute [User-Name|NAS-IP-Address|...]
        set sso-attribute [User-Name|NAS-IP-Address|...]
        set sso-attribute-key {string}
        set sso-attribute-value-override [enable|disable]
        set rsso-context-timeout {integer}
        set rsso-log-period {integer}
        set rsso-log-flags {option1}, {option2}, ...
        set rsso-flush-ip-session [enable|disable]
        set rsso-ep-one-ip-only [enable|disable]
        set delimiter [plus|comma]
        config accounting-server
            Description: Additional accounting servers.
            edit <id>
                set status [enable|disable]
                set server {string}
                set secret {password}
                set port {integer}
                set source-ip {string}
                set interface-select-method [auto|specify]
                set interface {string}
            next
        end
    next
end

config user radius

Parameter

Description

Type

Size

Default

name

RADIUS server entry name.

string

Maximum length: 35

server

Primary RADIUS server CN domain name or IP address.

string

Maximum length: 63

secret

Pre-shared secret key used to access the primary RADIUS server.

password

Not Specified

secondary-server

Secondary RADIUS CN domain name or IP address.

string

Maximum length: 63

secondary-secret

Secret key to access the secondary server.

password

Not Specified

tertiary-server

Tertiary RADIUS CN domain name or IP address.

string

Maximum length: 63

tertiary-secret

Secret key to access the tertiary server.

password

Not Specified

timeout

Time in seconds to retry connecting server.

integer

Minimum value: 1 Maximum value: 300

5

status-ttl

Time for which server reachability is cached so that when a server is unreachable, it will not be retried for at least this period of time.

integer

Minimum value: 0 Maximum value: 600

300

all-usergroup

Enable/disable automatically including this RADIUS server in all user groups.

option

-

disable

Option

Description

disable

Do not automatically include this server in a user group.

enable

Include this RADIUS server in every user group.

use-management-vdom

Enable/disable using management VDOM to send requests.

option

-

disable

Option

Description

enable

Send requests using the management VDOM.

disable

Send requests using the current VDOM.

nas-ip

IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.

ipv4-address

Not Specified

0.0.0.0

nas-id-type

NAS identifier type configuration.

option

-

legacy

Option

Description

legacy

NAS-ID value is the value previously used by each daemon.

custom

NAS-ID value is customized.

hostname

NAS-ID value is hostname or HA group name if applicable.

call-station-id-type

Calling & Called station identifier type configuration , this option is not available for 802.1x authentication.

option

-

legacy

Option

Description

legacy

Calling & Called station identifier is the value previously used by each daemon.

IP

Calling & Called station identifier is the value of IP address.

MAC

Calling & Called station identifier is the value of MAC address.

nas-id

Custom NAS identifier.

string

Maximum length: 255

acct-interim-interval

Time in seconds between each accounting interim update message.

integer

Minimum value: 60 Maximum value: 86400

0

radius-coa

Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated.

option

-

disable

Option

Description

enable

Enable RADIUS CoA.

disable

Disable RADIUS CoA.

radius-port

RADIUS service port number.

integer

Minimum value: 0 Maximum value: 65535

0

h3c-compatibility

Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication.

option

-

disable

Option

Description

enable

Enable H3C compatibility.

disable

Disable H3C compatibility.

auth-type

Authentication methods/protocols permitted for this RADIUS server.

option

-

auto

Option

Description

auto

Use PAP, MSCHAP_v2, and CHAP (in that order).

ms_chap_v2

Microsoft Challenge Handshake Authentication Protocol version 2.

ms_chap

Microsoft Challenge Handshake Authentication Protocol.

chap

Challenge Handshake Authentication Protocol.

pap

Password Authentication Protocol.

source-ip

Source IP address for communications to the RADIUS server.

string

Maximum length: 63

username-case-sensitive

Enable/disable case sensitive user names.

option

-

disable

Option

Description

enable

Enable username case-sensitive.

disable

Disable username case-sensitive.

group-override-attr-type

RADIUS attribute type to override user group information.

option

-

Option

Description

filter-Id

Filter-Id

class

Class

class <name>

Class attribute name(s).

Class name.

string

Maximum length: 79

password-renewal

Enable/disable password renewal.

option

-

enable

Option

Description

enable

Enable password renewal.

disable

Disable password renewal.

password-encoding

Password encoding.

option

-

auto

Option

Description

auto

Use original password encoding.

ISO-8859-1

Use ISO-8859-1 password encoding.

mac-username-delimiter

MAC authentication username delimiter.

option

-

hyphen

Option

Description

hyphen

Use hyphen as delimiter for MAC authentication username.

single-hyphen

Use single hyphen as delimiter for MAC authentication username.

colon

Use colon as delimiter for MAC authentication username.

none

No delimiter for MAC authentication username.

mac-password-delimiter

MAC authentication password delimiter.

option

-

hyphen

Option

Description

hyphen

Use hyphen as delimiter for MAC authentication password.

single-hyphen

Use single hyphen as delimiter for MAC authentication password.

colon

Use colon as delimiter for MAC authentication password.

none

No delimiter for MAC authentication password.

mac-case

MAC authentication case.

option

-

lowercase

Option

Description

uppercase

Use uppercase MAC.

lowercase

Use lowercase MAC.

acct-all-servers

Enable/disable sending of accounting messages to all configured servers.

option

-

disable

Option

Description

enable

Send accounting messages to all configured servers.

disable

Send accounting message only to servers that are confirmed to be reachable.

switch-controller-acct-fast-framedip-detect

Switch controller accounting message Framed-IP detection from DHCP snooping.

integer

Minimum value: 2 Maximum value: 600

2

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

switch-controller-service-type

RADIUS service type.

option

-

Option

Description

login

User should be connected to a host.

framed

User use Framed Protocol.

callback-login

User disconnected and called back.

callback-framed

User disconnected and called back, then a Framed Protocol.

outbound

User granted access to outgoing devices.

administrative

User granted access to the administrative unsigned interface.

nas-prompt

User provided a command prompt on the NAS.

authenticate-only

Authentication requested, and no auth info needs to be returned.

callback-nas-prompt

User disconnected and called back, then provided a command prompt.

call-check

Used by the NAS in an Access-Request packet, Access-Accept to answer the call.

callback-administrative

User disconnected and called back, granted access to the admin unsigned interface.

transport-protocol

Transport protocol to be used.

option

-

udp

Option

Description

udp

UDP.

tcp

TCP.

tls

TLS over TCP.

tls-min-proto-version

Minimum supported protocol version for TLS connections.

option

-

default

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

TLSv1-3

TLSv1.3.

ca-cert

CA of server to trust under TLS.

string

Maximum length: 79

client-cert

Client certificate to use under TLS.

string

Maximum length: 35

server-identity-check

Enable/disable RADIUS server identity check (verify server domain name/IP address against the server certificate).

option

-

enable

Option

Description

enable

Enable server identity check.

disable

Disable server identity check.

account-key-processing

Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity.

option

-

same

Option

Description

same

Same as subject identity field.

strip

Strip domain string from subject identity field.

account-key-cert-field

Define subject identity field in certificate for user access right checking.

option

-

othername

Option

Description

othername

Other name in SAN.

rfc822name

RFC822 email address in SAN.

dnsname

DNS name in SAN.

cn

CN in subject.

rsso

Enable/disable RADIUS based single sign on feature.

option

-

disable

Option

Description

enable

Enable RADIUS based single sign on feature.

disable

Disable RADIUS based single sign on feature.

rsso-radius-server-port

UDP port to listen on for RADIUS Start and Stop records.

integer

Minimum value: 0 Maximum value: 65535

1813

rsso-radius-response

Enable/disable sending RADIUS response packets after receiving Start and Stop records.

option

-

disable

Option

Description

enable

Enable sending RADIUS response packets.

disable

Disable sending RADIUS response packets.

rsso-validate-request-secret

Enable/disable validating the RADIUS request shared secret in the Start or End record.

option

-

disable

Option

Description

enable

Enable validating RADIUS request shared secret.

disable

Disable validating RADIUS request shared secret.

rsso-secret

RADIUS secret used by the RADIUS accounting server.

password

Not Specified

rsso-endpoint-attribute

RADIUS attributes used to extract the user end point identifier from the RADIUS Start record.

option

-

Calling-Station-Id

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

rsso-endpoint-block-attribute

RADIUS attributes used to block a user.

option

-

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

sso-attribute

RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record.

option

-

Class

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

sso-attribute-key

Key prefix for SSO group value in the SSO attribute.

string

Maximum length: 35

sso-attribute-value-override

Enable/disable override old attribute value with new value for the same endpoint.

option

-

enable

Option

Description

enable

Enable override old attribute value with new value for the same endpoint.

disable

Disable override old attribute value with new value for the same endpoint.

rsso-context-timeout

Time in seconds before the logged out user is removed from the "user context list" of logged on users.

integer

Minimum value: 0 Maximum value: 4294967295

28800

rsso-log-period

Time interval in seconds that group event log messages will be generated for dynamic profile events.

integer

Minimum value: 0 Maximum value: 4294967295

0

rsso-log-flags

Events to log.

option

-

protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other

Option

Description

protocol-error

Enable this log type.

profile-missing

Enable this log type.

accounting-stop-missed

Enable this log type.

accounting-event

Enable this log type.

endpoint-block

Enable this log type.

radiusd-other

Enable this log type.

none

Disable all logging.

rsso-flush-ip-session

Enable/disable flushing user IP sessions on RADIUS accounting Stop messages.

option

-

disable

Option

Description

enable

Enable flush user IP sessions on RADIUS accounting stop.

disable

Disable flush user IP sessions on RADIUS accounting stop.

rsso-ep-one-ip-only

Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.

option

-

disable

Option

Description

enable

Enable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.

disable

Disable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.

delimiter

Configure delimiter to be used for separating profile group names in the SSO attribute.

option

-

plus

Option

Description

plus

Plus character "+".

comma

Comma character ",".

config accounting-server

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

status

Status.

option

-

disable

Option

Description

enable

Log to remote syslog server.

disable

Do not log to remote syslog server.

server

Server CN domain name or IP address.

string

Maximum length: 63

secret

Secret key.

password

Not Specified

port

RADIUS accounting port number.

integer

Minimum value: 0 Maximum value: 65535

0

source-ip

Source IP address for communications to the RADIUS server.

string

Maximum length: 63

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15