Fortinet white logo
Fortinet white logo

Administration Guide

Authenticating users with a RADIUS server

Authenticating users with a RADIUS server

Using the GUI:
  1. Define the RADIUS server:
    1. Go to System > Authentication > RADIUS.
    2. Select Add Server.


    3. In the Name field, enter a name for the RADIUS server.
    4. In the Primary Server Address field, enter the IP address for the RADIUS server.
    5. In the Primary Server Secret field, enter a password to use as a RADIUS key.
    6. Select Add.
  2. Create a user group:
    1. Go to System > User > Group.
    2. Select Add Group.


    3. In the Name field, enter a name for the user group.
    4. Select Add Server.
    5. Select the name of the RADIUS server that you configured in step 1.
    6. Select Add Group.
  3. Configure the port security:
    1. Go to Switch > Interface > Physical.
    2. Select a port and then select Edit.
    3. Select 802.1X for port-based authentication or select 802.1X-MAC-based for MAC-based authentication.


    4. Select the user group that you configured in step 2.


    5. Select OK.
Using the CLI:
  1. Define an IPv4 or IPv6 RADIUS server:

    config user radius

    edit <name>

    set addr-mode ipv4

    set server <IPv4_address>

    set source-ip <ipv4_address>

    set radius-port <radius_port_num>

    set secret <server_password>

    set auth-type {auto | chap | ms_chap | ms_chap_v2 | pap}

    set nas-ip <IPv4_address>

    set all-usergroup {enable | disable}

    set link-monitor {enable | disable}

    set link-monitor-interval <5-120 seconds>

    end

    end

    config user radius

    edit <name>

    set addr-mode ipv6

    set server <IPv6_address>

    set source-ip6 <ipv6_address>

    set radius-port <radius_port_num>

    set secret <server_password>

    set auth-type {auto | chap | ms_chap | ms_chap_v2 | pap}

    set nas-ip6 <IPv6_address>

    set all-usergroup {enable | disable}

    set link-monitor {enable | disable}

    set link-monitor-interval <5-120 seconds>

    end

    end

  2. Create a user group:

    config user group

    edit <name>

    set member <list>

    config match

    edit 1

    set group-name <name>

    set server-name <name>

    end

    end

    end

    end

  3. Configure the switch interface for port-based or MAC-based 802.1x authentication:

    config switch interface

    edit <interface>

    config port-security

    set port-security-mode 802.1X

    end

    set security-groups <security-group-name>

    end

    end

    config switch interface

    edit <interface>

    config port-security

    set port-security-mode 802.1X-mac-based

    end

    set security-groups <security-group-name>

    end

    end

Example: RADIUS user group

Using the GUI:
  1. Define the RADIUS server:
    1. Go to System > Authentication > RADIUS.
    2. Select Add Server.
    3. In the Name field, enter FortiAuthenticator.
    4. In the Primary Server Address field, enter 10.160.36.190.
    5. In the Primary Server Secret field, enter 6rF7O4/Zf3p2TutNyeSjPbQc73QrS21wNDmNXd/rg9k6nTR6yMhBRsJGpArhle6UOCb7b8InM3nrCeuVETr/a02LpILmIltBq5sUMCNqbR6zp2fS3r35Eyd3IIrzmve4Vusi52c1MrCqVhzzy2EfxkBrx5FhcRQWxStvnVt4+dzLYbHZ.


    6. Select Add.
  2. Create a user group:
    1. Go to System > User > Group.
    2. Select Add Group.
    3. In the Name field, enter Radius_group.
    4. Select Add Server.
    5. Select FortiAuthenticator as the authentication server.


    6. Select Add Group.
  3. Configure the port security:
    1. Go to Switch > Interface > Physical.
    2. Select the port1 row and then select Edit.


    3. In the Allowed VLANs field, enter 1.
    4. Select 802.1X.
    5. Select Radius_group.


    6. Select OK.
Using the CLI:
  1. Define the RADIUS server:

    config user radius

    edit "FortiAuthenticator"

    set secret ENC 6rF7O4/Zf3p2TutNyeSjPbQc73QrS21wNDmNXd/rg9k6nTR6yMhBRsJGpArhle6UOCb7b8InM3nrCeuVETr/a02LpILmIltBq5sUMCNqbR6zp2fS3r35Eyd3IIrzmve4Vusi52c1MrCqVhzzy2EfxkBrx5FhcRQWxStvnVt4+dzLYbHZ

    set server “10.160.36.190”

    set addr-mode ipv4

    next

    end

  2. Create a user group:

    config user group

    edit "Radius_group"

    set member "FortiAuthenticator"

    end

    end

  3. Configure the port security:

    config switch interface

    edit "port1"

    set allowed-vlans 1

    config port-security

    set port-security-mode 802.1X

    end

    set security-groups "Radius_group"

    end

    end

Example: dynamic VLAN

To assign VLAN dynamically for a port on which a user is authenticated, configure the RADIUS server attributes to return the VLAN ID when the user is authenticated. Assuming that the port security mode is set to 802.1X, the FortiSwitch unit will change the native VLAN of the port to the value returned by the server.

Ensure that the following attributes are configured on the RADIUS server:

  • Tunnel-Private-Group-Id <integer or string> (the VLAN ID or VLAN name)
  • Tunnel-Medium-Type IEEE-802 (6)
  • Tunnel-Type VLAN (13)

NOTE: If the Tunnel-Private-Group-Id is set to the VLAN name, the same string must be specified in the set description command under the config switch vlan command.

Authenticating users with a RADIUS server

Authenticating users with a RADIUS server

Using the GUI:
  1. Define the RADIUS server:
    1. Go to System > Authentication > RADIUS.
    2. Select Add Server.


    3. In the Name field, enter a name for the RADIUS server.
    4. In the Primary Server Address field, enter the IP address for the RADIUS server.
    5. In the Primary Server Secret field, enter a password to use as a RADIUS key.
    6. Select Add.
  2. Create a user group:
    1. Go to System > User > Group.
    2. Select Add Group.


    3. In the Name field, enter a name for the user group.
    4. Select Add Server.
    5. Select the name of the RADIUS server that you configured in step 1.
    6. Select Add Group.
  3. Configure the port security:
    1. Go to Switch > Interface > Physical.
    2. Select a port and then select Edit.
    3. Select 802.1X for port-based authentication or select 802.1X-MAC-based for MAC-based authentication.


    4. Select the user group that you configured in step 2.


    5. Select OK.
Using the CLI:
  1. Define an IPv4 or IPv6 RADIUS server:

    config user radius

    edit <name>

    set addr-mode ipv4

    set server <IPv4_address>

    set source-ip <ipv4_address>

    set radius-port <radius_port_num>

    set secret <server_password>

    set auth-type {auto | chap | ms_chap | ms_chap_v2 | pap}

    set nas-ip <IPv4_address>

    set all-usergroup {enable | disable}

    set link-monitor {enable | disable}

    set link-monitor-interval <5-120 seconds>

    end

    end

    config user radius

    edit <name>

    set addr-mode ipv6

    set server <IPv6_address>

    set source-ip6 <ipv6_address>

    set radius-port <radius_port_num>

    set secret <server_password>

    set auth-type {auto | chap | ms_chap | ms_chap_v2 | pap}

    set nas-ip6 <IPv6_address>

    set all-usergroup {enable | disable}

    set link-monitor {enable | disable}

    set link-monitor-interval <5-120 seconds>

    end

    end

  2. Create a user group:

    config user group

    edit <name>

    set member <list>

    config match

    edit 1

    set group-name <name>

    set server-name <name>

    end

    end

    end

    end

  3. Configure the switch interface for port-based or MAC-based 802.1x authentication:

    config switch interface

    edit <interface>

    config port-security

    set port-security-mode 802.1X

    end

    set security-groups <security-group-name>

    end

    end

    config switch interface

    edit <interface>

    config port-security

    set port-security-mode 802.1X-mac-based

    end

    set security-groups <security-group-name>

    end

    end

Example: RADIUS user group

Using the GUI:
  1. Define the RADIUS server:
    1. Go to System > Authentication > RADIUS.
    2. Select Add Server.
    3. In the Name field, enter FortiAuthenticator.
    4. In the Primary Server Address field, enter 10.160.36.190.
    5. In the Primary Server Secret field, enter 6rF7O4/Zf3p2TutNyeSjPbQc73QrS21wNDmNXd/rg9k6nTR6yMhBRsJGpArhle6UOCb7b8InM3nrCeuVETr/a02LpILmIltBq5sUMCNqbR6zp2fS3r35Eyd3IIrzmve4Vusi52c1MrCqVhzzy2EfxkBrx5FhcRQWxStvnVt4+dzLYbHZ.


    6. Select Add.
  2. Create a user group:
    1. Go to System > User > Group.
    2. Select Add Group.
    3. In the Name field, enter Radius_group.
    4. Select Add Server.
    5. Select FortiAuthenticator as the authentication server.


    6. Select Add Group.
  3. Configure the port security:
    1. Go to Switch > Interface > Physical.
    2. Select the port1 row and then select Edit.


    3. In the Allowed VLANs field, enter 1.
    4. Select 802.1X.
    5. Select Radius_group.


    6. Select OK.
Using the CLI:
  1. Define the RADIUS server:

    config user radius

    edit "FortiAuthenticator"

    set secret ENC 6rF7O4/Zf3p2TutNyeSjPbQc73QrS21wNDmNXd/rg9k6nTR6yMhBRsJGpArhle6UOCb7b8InM3nrCeuVETr/a02LpILmIltBq5sUMCNqbR6zp2fS3r35Eyd3IIrzmve4Vusi52c1MrCqVhzzy2EfxkBrx5FhcRQWxStvnVt4+dzLYbHZ

    set server “10.160.36.190”

    set addr-mode ipv4

    next

    end

  2. Create a user group:

    config user group

    edit "Radius_group"

    set member "FortiAuthenticator"

    end

    end

  3. Configure the port security:

    config switch interface

    edit "port1"

    set allowed-vlans 1

    config port-security

    set port-security-mode 802.1X

    end

    set security-groups "Radius_group"

    end

    end

Example: dynamic VLAN

To assign VLAN dynamically for a port on which a user is authenticated, configure the RADIUS server attributes to return the VLAN ID when the user is authenticated. Assuming that the port security mode is set to 802.1X, the FortiSwitch unit will change the native VLAN of the port to the value returned by the server.

Ensure that the following attributes are configured on the RADIUS server:

  • Tunnel-Private-Group-Id <integer or string> (the VLAN ID or VLAN name)
  • Tunnel-Medium-Type IEEE-802 (6)
  • Tunnel-Type VLAN (13)

NOTE: If the Tunnel-Private-Group-Id is set to the VLAN name, the same string must be specified in the set description command under the config switch vlan command.