Authenticating users with a RADIUS server
Using the GUI:
- Define the RADIUS server:
- Go to System > Authentication > RADIUS.
- Select Add Server.
- In the Name field, enter a name for the RADIUS server.
- In the Primary Server Address field, enter the IP address for the RADIUS server.
- In the Primary Server Secret field, enter a password to use as a RADIUS key.
- Select Add.
- Create a user group:
- Go to System > User > Group.
- Select Add Group.
- In the Name field, enter a name for the user group.
- Select Add Server.
- Select the name of the RADIUS server that you configured in step 1.
- Select Add Group.
- Configure the port security:
- Go to Switch > Interface > Physical.
- Select a port and then select Edit.
- Select 802.1X for port-based authentication or select 802.1X-MAC-based for MAC-based authentication.
- Select the user group that you configured in step 2.
- Select OK.
Using the CLI:
- Define an IPv4 or IPv6 RADIUS server:
config user radius
edit <name>
set addr-mode ipv4
set server <IPv4_address>
set source-ip <ipv4_address>
set radius-port <radius_port_num>
set secret <server_password>
set auth-type {auto | chap | ms_chap | ms_chap_v2 | pap}
set nas-ip <IPv4_address>
set all-usergroup {enable | disable}
set link-monitor {enable | disable}
set link-monitor-interval <5-120 seconds>
end
end
config user radius
edit <name>
set addr-mode ipv6
set server <IPv6_address>
set source-ip6 <ipv6_address>
set radius-port <radius_port_num>
set secret <server_password>
set auth-type {auto | chap | ms_chap | ms_chap_v2 | pap}
set nas-ip6 <IPv6_address>
set all-usergroup {enable | disable}
set link-monitor {enable | disable}
set link-monitor-interval <5-120 seconds>
end
end
- Create a user group:
config user group
edit <name>
set member <list>
config match
edit 1
set group-name <name>
set server-name <name>
end
end
end
end
- Configure the switch interface for port-based or MAC-based 802.1x authentication:
config switch interface
edit <interface>
config port-security
set port-security-mode 802.1X
end
set security-groups <security-group-name>
end
end
config switch interface
edit <interface>
config port-security
set port-security-mode 802.1X-mac-based
end
set security-groups <security-group-name>
end
end
Example: RADIUS user group
Using the GUI:
- Define the RADIUS server:
- Go to System > Authentication > RADIUS.
- Select Add Server.
- In the Name field, enter
FortiAuthenticator
. - In the Primary Server Address field, enter
10.160.36.190
. - In the Primary Server Secret field, enter
6rF7O4/Zf3p2TutNyeSjPbQc73QrS21wNDmNXd/rg9k6nTR6yMhBRsJGpArhle6UOCb7b8InM3nrCeuVETr/a02LpILmIltBq5sUMCNqbR6zp2fS3r35Eyd3IIrzmve4Vusi52c1MrCqVhzzy2EfxkBrx5FhcRQWxStvnVt4+dzLYbHZ
. - Select Add.
- Create a user group:
- Go to System > User > Group.
- Select Add Group.
- In the Name field, enter
Radius_group
. - Select Add Server.
- Select FortiAuthenticator as the authentication server.
- Select Add Group.
- Configure the port security:
- Go to Switch > Interface > Physical.
- Select the port1 row and then select Edit.
- In the Allowed VLANs field, enter
1
. - Select 802.1X.
- Select Radius_group.
- Select OK.
Using the CLI:
- Define the RADIUS server:
config user radius
edit "FortiAuthenticator"
set secret ENC 6rF7O4/Zf3p2TutNyeSjPbQc73QrS21wNDmNXd/rg9k6nTR6yMhBRsJGpArhle6UOCb7b8InM3nrCeuVETr/a02LpILmIltBq5sUMCNqbR6zp2fS3r35Eyd3IIrzmve4Vusi52c1MrCqVhzzy2EfxkBrx5FhcRQWxStvnVt4+dzLYbHZ
set server “10.160.36.190”
set addr-mode ipv4
next
end
- Create a user group:
config user group
edit "Radius_group"
set member "FortiAuthenticator"
end
end
- Configure the port security:
config switch interface
edit "port1"
set allowed-vlans 1
config port-security
set port-security-mode 802.1X
end
set security-groups "Radius_group"
end
end
Example: dynamic VLAN
To assign VLAN dynamically for a port on which a user is authenticated, configure the RADIUS server attributes to return the VLAN ID when the user is authenticated. Assuming that the port security mode is set to 802.1X, the FortiSwitch unit will change the native VLAN of the port to the value returned by the server.
Ensure that the following attributes are configured on the RADIUS server:
- Tunnel-Private-Group-Id <integer or string> (the VLAN ID or VLAN name)
- Tunnel-Medium-Type IEEE-802 (6)
- Tunnel-Type VLAN (13)
NOTE: If the Tunnel-Private-Group-Id is set to the VLAN name, the same string must be specified in the set description
command under the config switch vlan
command.