Configuring FortiSASE with a RADIUS server for remote user authentication
The RADIUS server must be reachable from the public internet.
- If the RADIUS server is behind a firewall, ensure that port 1812 for authentication is open and correctly forwarded. The RADIUS server requires a NAS IP address to be configured in its list of authorized NAS clients. For FortiSASE, this request is done using the public IP address, as listed in Appendix A - FortiSASE data centers.
- If the RADIUS server is behind a device that can take traffic captures, it is recommended to take a capture to see the RADIUS authentication exchange to see the NAS IP address that FortiSASE uses to make the request.
- If the RADIUS server is a FortiAuthenticator, you must configure the identified NAS IP address as a valid NAS client in the RADIUS Service section.
|
FortiSASE can connect to DNS, RADIUS, or LDAP servers with internal IP addresses or FQDNs if you set Access Type to Private in the RADIUS or LDAP server settings, internal servers are located behind a secure private access (SPA) hub, and the SPA hub in FortiSASE has been configured with BGP per overlay. When the FortiSASE Endpoint Management Service uses LDAP servers with Groups & AD Users for endpoint profile assignments, these servers must use public IP addresses or publicly accessible FQDNs with Access Type set to Public in the LDAP server settings and may require some configuration or topology changes. |
To configure the RADIUS server in FortiSASE:
- Go to Configuration > RADIUS.
- Click Create.
- Configure the following settings:
Field
Description
Name
Connection name.
Access Type
When set to Private, secure private access (SPA) is used for the RADIUS server. Ensure the SPA network is configured.
Authentication Type
If you know the RADIUS server uses a specific authentication protocol, select Specify and select the desired protocol from the list. Otherwise, select Default.
Include All Users
Allow all users on the RADIUS server to authenticate with FortiSASE.
- Configure the following Configure Servers settings. If the primary server does not respond, FortiSASE sends the access request to the secondary server if configured:
Field
Description
Primary Server IP/Name Enter the domain name or IP address of the RADIUS server. Secret Enter the server secret key. This value must match the secret on the RADIUS primary server. Secondary Server
IP/Name
(Optional) Enter the domain name or IP address of the secondary RADIUS server.
Secret
(Optional) Enter the secondary server secret key. This value must match the secret on the RADIUS secondary server.
- Click Test connection. If the connection fails, return to the previous steps to reconfigure the RADIUS server(s), or skip the test. If the connection succeeds, click Next.
- Review the configuration, then click Submit.
To invite users using RADIUS authentication to FortiSASE:
|
|
The following procedure is not applicable for SWG mode users. See SWG mode. |
- (Optional) If you want to define a group of users, create a user group:
- Go to Configuration > Users.
- Click Create > User Group.
- In the Members field, click +.
- In the Select Entries pane, select the desired users to add to this user group.
- In the Remote Groups field, select Create.
- From the Remote Server dropdown list, select the desired server.
- In the Groups field, add the desired groups from the selected server to this user group. Click OK.
- Click OK.
- Go to Dashboards > Status.
- In the Remote User Management widget, click Onboard Users.
- Under Invite Users, enter the email addresses of the users that you want to add to FortiSASE.
- Click Send. FortiSASE sends invitation emails to these users so that they can download FortiClient and connect to FortiSASE.