Configuring the RADIUS server
This section shows how to configure the RADIUS server to accept port-based 802.1x authentication. This example shows how to install and configure RADIUS in Windows Server 2016.
- Log in to the Windows Server 2016 that you plan to use as your RADIUS server.
- Launch the Server Manager and select Manage from the top right.
- Select Add Roles and Features to launch the wizard.
- From the wizard page, select Network Policy and Access Services, as shown in the following figure:
- Select Next and then select Finish to start the installation. No reboot is required.
- After the installation is complete, select Tools from the Server Manager and then select Network Policy Server.
- Right-click on RADIUS Clients and select New to display the new RADIUS client dialog box. Use the following procedure to configure the RADIUS clients:
- Select the Enable the RADIUS client checkbox.
- Enter a name for your RADIUS server, such as
FGTAuth
. - Enter the IP address of the FortiGate unit that is used to access the RADIUS server. Typically, this is the interface in the FortiGate unit with the same network as the RADIUS server. Otherwise, this will be the IP address you have configured as the source-ip in the user RADIUS settings in FortiOS.
- In the Shared Secret area, keep Manual selected and enter a password in the Shared secret field. NOTE: This password must match the FortiGate RADIUS server settings.
- Select OK.
- Under the Policies section of the NPS Snap-in, right-click Connection Request Policies and select New.
- In the Overview tab, enter a name for the policy, such as
FGTAUth
. - Select the Policy enabled check box.
- Leave the type of network access server as Unspecified.
- In the Overview tab, enter a name for the policy, such as
- Select the Conditions tab.
- Select Add and then select the Client IPv4 Address condition.
- Select Add again and enter the IP address of the RADIUS client, which is the IP address of the FortiSwitch unit.
- Enable the NAT to the firewall policy from the FortiLink interface to the interface in which the RADIUS server is routed. In this example, it is the wan1 interface with an IP address of 172.17.96.6.
- Select the Settings tab.
- Select Vendor Specific and then select Add.
- Scroll to the very bottom of the list and select Vendor-Specific.
- Select Add.
- Configure a network policy.
- From the Network Policy Server Snap-in, right-click on Network Policies and select New.
- Enter a name for the policy, such as
FGTAuth
. - On the Overview tab, make sure that Policy enabled checkbox is selected.
- Verify that Grant access is selected.
- Verify that the type of network access server is set to Unspecified.
- Select the Conditions tab.
- Select Add.
- Select Windows Groups and then select Add.
- Select Add Groups.
- Enter the name of the group in AD that you want to allow for 802.1x connections.
- Select OK.
- In the Constraints tab, verify that the following check boxes are selected, select Apply, and then select OK to complete the policy.
- To verify the server certificate used by Microsoft Protocol EAP (PEAP), select Edit, and then select the certificate for the server to prove its identity to the client.
- Download the certificate that you selected and save it in the Trusted Root Certificate Authorities directory of the local PC.
- Under Certification Authority (Local), make certain that the settings match those in the following figure. Otherwise, you will receive an authentication failure with the following reason: “The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.”
Troubleshooting
The best way to troubleshoot 802.1x connections is by looking at the Event Viewer of the Windows Server. Under Server Roles, check the output of the Network Policy and Access Services.
The following figure shows the successful output of an 802.1x connection from the PC:
Issue 1: The certificate chain was issued by an authority that is not trusted.
To fix this issue, import the CA certificate into the local machine and add it to the Trusted Root Certification Authorities.
Issue 2: The specified user does not exist.
To fix this issue, under Advanced settings, you can specify whether you want user authentication, computer authentication, or both.