Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

RADIUS accounting and FortiGate RADIUS single sign-on

NOTE: To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the 802.1x-authenticated ports of your VLAN network for both port and MAC modes.

You can use your FortiSwitch unit for RADIUS single sign-on (RSSO) in two modes:

  • Standalone mode
  • FortiLink mode (FortiSwitch unit managed by FortiGate unit)

The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:

  • START—The FortiSwitch unit has been successfully authenticated, and the session has started.
  • STOP—The FortiSwitch session has ended.
  • INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command.
  • ON—The FortiSwitch unit will send this message when the switch is turned on.
  • OFF—The FortiSwitch unit will send this message when the switch is shut down.

NOTE: Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA now support EAP and MAB 802.1x authentication.

Configuring the RADIUS accounting server and FortiGate RADIUS single sign-on

Use the following commands to set up RADIUS accounting and enable a FortiSwitch unit to receive CoA and disconnect messages from the RADIUS server:

config user radius

edit <RADIUS_server_name>

set acct-interim-interval <seconds>

set secret <secret_key>

set server <domain_ipv4_ipv6>

set addr-mode {ipv4 | ipv6}

set source-ip <ipv4_addr>

set source-ip6 <ipv6_addr>

config acct-server

edit <entry_ID>

set status {enable | disable}

set server <accounting_server>

set secret <secret_key>

set port <port_number>

next

end

next

end

 

Variable

Description

<RADIUS_server_name>

Enter the name of the RADIUS server that will be sending CoA and disconnect messages to the FortiSwitch unit. By default, the messages use port 3799.

acct-interim-interval <seconds>

Enter the number of seconds between each interim accounting message sent to the RADIUS server. The value range is 60-86400. The default is 600.

addr-mode {ipv4 | ipv6}

Select whether to connect to the RADIUS server with IPv4 or IPv6. The default is IPv4.

secret <secret_key>

Enter the shared secret key for authentication with the RADIUS server.

server <domain_ipv4_ipv6>

Enter the domain name, IPv4 address, or IPv6 address for the RADIUS server. There is no default.

source-ip <ipv4_addr>

If the addr-mode was set to ipv4, enter the IPv4 address of the server that will be sending accounting messages. The default is 0.0.0.0.

source-ip6 <ipv6_addr>

If the addr-mode was set to ipv6, enter the IPv6 address of the server that will be sending accounting messages. There is no default.

<entry_ID>

Enter the entry identifier. The value range is 0-20.

status {enable | disable}

Enable or disable RADIUS accounting. The default is disable.

server <accounting_server>

Enter the domain name, IPv4 address, or IPv6 address of the RADIUS server that will be receiving the accounting messages. There is no default value.

secret <secret_key>

Enter the shared secret key for the RADIUS accounting server.

port <port_number>

Enter the port number for the RADIUS accounting server to receive accounting messages from the FortiSwitch unit. The default is 1813.

Example: RADIUS accounting and single sign-on

Use the following commands to set up RADIUS accounting:

config user radius

edit "local-RADIUS"

set server 10.0.23.5

set addr-mode ipv4

set secret ENC LE8xetYYGiE0bkQpBDdH6acilwkYROCos7XK2q5cNPhu8sUDW9/fvkgE+fVURgZGEzTsndt41gb+K+zV9m+nXCnoUXqivzQdt1UNlMxgKXADnCpXuiY966aJsYigmW/AZ1IM5kweUxvuHK8eqJkkT0nl64c8DID/LMAcCTx6JMapRCBS

set auth-type ms_chap_v2

set acct-interim-interval 1200

set source-ip 10.105.142.19

config acct-server

edit 1

set status enable

set server 10.0.23.5

set secret ENC LE8xetYYGiE0bkQpBDdH6acilwkYROCos7XK2q5cNPhu8sUDW9/fvkgE+fVURgZGEzTsndt41gb+K+zV9m+nXCnoUXqivzQdt1UNlMxgKXADnCpXuiY966aJsYigmW/AZ1IM5kweUxvuHK8eqJkkT0nl64c8DID/LMAcCTx6JMapRCBS

set port 1813

next

end

next

end

RADIUS accounting and FortiGate RADIUS single sign-on

NOTE: To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the 802.1x-authenticated ports of your VLAN network for both port and MAC modes.

You can use your FortiSwitch unit for RADIUS single sign-on (RSSO) in two modes:

  • Standalone mode
  • FortiLink mode (FortiSwitch unit managed by FortiGate unit)

The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:

  • START—The FortiSwitch unit has been successfully authenticated, and the session has started.
  • STOP—The FortiSwitch session has ended.
  • INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command.
  • ON—The FortiSwitch unit will send this message when the switch is turned on.
  • OFF—The FortiSwitch unit will send this message when the switch is shut down.

NOTE: Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA now support EAP and MAB 802.1x authentication.

Configuring the RADIUS accounting server and FortiGate RADIUS single sign-on

Use the following commands to set up RADIUS accounting and enable a FortiSwitch unit to receive CoA and disconnect messages from the RADIUS server:

config user radius

edit <RADIUS_server_name>

set acct-interim-interval <seconds>

set secret <secret_key>

set server <domain_ipv4_ipv6>

set addr-mode {ipv4 | ipv6}

set source-ip <ipv4_addr>

set source-ip6 <ipv6_addr>

config acct-server

edit <entry_ID>

set status {enable | disable}

set server <accounting_server>

set secret <secret_key>

set port <port_number>

next

end

next

end

 

Variable

Description

<RADIUS_server_name>

Enter the name of the RADIUS server that will be sending CoA and disconnect messages to the FortiSwitch unit. By default, the messages use port 3799.

acct-interim-interval <seconds>

Enter the number of seconds between each interim accounting message sent to the RADIUS server. The value range is 60-86400. The default is 600.

addr-mode {ipv4 | ipv6}

Select whether to connect to the RADIUS server with IPv4 or IPv6. The default is IPv4.

secret <secret_key>

Enter the shared secret key for authentication with the RADIUS server.

server <domain_ipv4_ipv6>

Enter the domain name, IPv4 address, or IPv6 address for the RADIUS server. There is no default.

source-ip <ipv4_addr>

If the addr-mode was set to ipv4, enter the IPv4 address of the server that will be sending accounting messages. The default is 0.0.0.0.

source-ip6 <ipv6_addr>

If the addr-mode was set to ipv6, enter the IPv6 address of the server that will be sending accounting messages. There is no default.

<entry_ID>

Enter the entry identifier. The value range is 0-20.

status {enable | disable}

Enable or disable RADIUS accounting. The default is disable.

server <accounting_server>

Enter the domain name, IPv4 address, or IPv6 address of the RADIUS server that will be receiving the accounting messages. There is no default value.

secret <secret_key>

Enter the shared secret key for the RADIUS accounting server.

port <port_number>

Enter the port number for the RADIUS accounting server to receive accounting messages from the FortiSwitch unit. The default is 1813.

Example: RADIUS accounting and single sign-on

Use the following commands to set up RADIUS accounting:

config user radius

edit "local-RADIUS"

set server 10.0.23.5

set addr-mode ipv4

set secret ENC LE8xetYYGiE0bkQpBDdH6acilwkYROCos7XK2q5cNPhu8sUDW9/fvkgE+fVURgZGEzTsndt41gb+K+zV9m+nXCnoUXqivzQdt1UNlMxgKXADnCpXuiY966aJsYigmW/AZ1IM5kweUxvuHK8eqJkkT0nl64c8DID/LMAcCTx6JMapRCBS

set auth-type ms_chap_v2

set acct-interim-interval 1200

set source-ip 10.105.142.19

config acct-server

edit 1

set status enable

set server 10.0.23.5

set secret ENC LE8xetYYGiE0bkQpBDdH6acilwkYROCos7XK2q5cNPhu8sUDW9/fvkgE+fVURgZGEzTsndt41gb+K+zV9m+nXCnoUXqivzQdt1UNlMxgKXADnCpXuiY966aJsYigmW/AZ1IM5kweUxvuHK8eqJkkT0nl64c8DID/LMAcCTx6JMapRCBS

set port 1813

next

end

next

end