RADIUS accounting and FortiGate RADIUS single sign-on
NOTE: To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the 802.1X-authenticated ports of your VLAN network for both port and MAC modes.
You can use your FortiSwitch unit for RADIUS single sign-on (RSSO) in two modes:
- Standalone mode
- FortiLink mode (FortiSwitch unit managed by FortiGate unit)
The FortiSwitch unit uses 802.1X-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:
- START—The FortiSwitch unit has been successfully authenticated, and the session has started.
- STOP—The FortiSwitch session has ended.
- INTERIM—Periodic messages sent based on the value set using the
set acct-interim-interval
command. - ON—The FortiSwitch unit will send this message when the switch is turned on.
- OFF—The FortiSwitch unit will send this message when the switch is shut down.
NOTE: Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA now support EAP and MAB 802.1X authentication.
Configuring the RADIUS accounting server and FortiGate RADIUS single sign-on
Use the following commands to set up RADIUS accounting and enable a FortiSwitch unit to receive CoA and disconnect messages from the RADIUS server:
config user radius
edit <RADIUS_server_name>
set acct-interim-interval <seconds>
set secret <secret_key>
set server <domain_ipv4_ipv6>
set addr-mode {ipv4 | ipv6}
set source-ip <ipv4_addr>
set source-ip6 <ipv6_addr>
config acct-server
edit <entry_ID>
set status {enable | disable}
set server <accounting_server>
set secret <secret_key>
set port <port_number>
next
end
next
end
Variable |
Description |
<RADIUS_server_name> |
Enter the name of the RADIUS server that will be sending CoA and disconnect messages to the FortiSwitch unit. By default, the messages use port 3799. |
acct-interim-interval <seconds> |
Enter the number of seconds between each interim accounting message sent to the RADIUS server. The value range is 60-86400. The default is 600. |
addr-mode {ipv4 | ipv6} |
Select whether to connect to the RADIUS server with IPv4 or IPv6. The default is IPv4. |
secret <secret_key> |
Enter the shared secret key for authentication with the RADIUS server. |
server <domain_ipv4_ipv6> |
Enter the domain name, IPv4 address, or IPv6 address for the RADIUS server. There is no default. |
source-ip <ipv4_addr> |
If the |
source-ip6 <ipv6_addr> |
If the |
<entry_ID> |
Enter the entry identifier. The value range is 0-20. |
status {enable | disable} |
Enable or disable RADIUS accounting. The default is disable. |
server <accounting_server> |
Enter the domain name, IPv4 address, or IPv6 address of the RADIUS server that will be receiving the accounting messages. There is no default value. |
secret <secret_key> |
Enter the shared secret key for the RADIUS accounting server. |
port <port_number> |
Enter the port number for the RADIUS accounting server to receive accounting messages from the FortiSwitch unit. The default is 1813. |
Example: RADIUS accounting and single sign-on
Use the following commands to set up RADIUS accounting:
config user radius
edit "local-RADIUS"
set server 10.0.23.5
set addr-mode ipv4
set secret ENC LE8xetYYGiE0bkQpBDdH6acilwkYROCos7XK2q5cNPhu8sUDW9/fvkgE+fVURgZGEzTsndt41gb+K+zV9m+nXCnoUXqivzQdt1UNlMxgKXADnCpXuiY966aJsYigmW/AZ1IM5kweUxvuHK8eqJkkT0nl64c8DID/LMAcCTx6JMapRCBS
set auth-type ms_chap_v2
set acct-interim-interval 1200
set source-ip 10.105.142.19
config acct-server
edit 1
set status enable
set server 10.0.23.5
set secret ENC LE8xetYYGiE0bkQpBDdH6acilwkYROCos7XK2q5cNPhu8sUDW9/fvkgE+fVURgZGEzTsndt41gb+K+zV9m+nXCnoUXqivzQdt1UNlMxgKXADnCpXuiY966aJsYigmW/AZ1IM5kweUxvuHK8eqJkkT0nl64c8DID/LMAcCTx6JMapRCBS
set port 1813
next
end
next
end