Fortinet white logo
Fortinet white logo

CLI Reference

user radius-user

user radius-user

Use this command to configure RADIUS queries used to authenticate end-users and/or administrators.

If you use a RADIUS query for administrators, separate it from the queries for regular users. Do not combine administrator and user queries into a single entry. Failure to separate queries will allow end-users to have administrative access the FortiWeb web UI and CLI.

Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication, authorization, and accounting functions. The FortiWeb authentication feature uses RADIUS user queries to authenticate and authorize HTTP requests. (The HTTP protocol does not support active logouts, and can only passively log out users when their connection times out. Therefore FortiWeb does not fully support RADIUS accounting.) RADIUS authentication with realms (e.g., the person logs in with an account such as admin@example.com) are supported.

To authenticate a user, the FortiWeb appliance sends the user’s credentials to RADIUS for authentication. If RADIUS authentication succeeds, the user is successfully authenticated with the FortiWeb appliance. If RADIUS authentication fails, the appliance refuses the connection. To override the default authentication scheme, select a specific authentication protocol or change the default RADIUS port.

To incorporate RADIUS users, they must be in a user group selected within an authentication rule, which is in turn selected within an authentication policy. For details, see server-policy custom-application application-policy.

For access profiles, FortiWeb appliances support RFC 2548 (http://www.ietf.org/rfc/rfc2548.txt) Microsoft Vendor-specific RADIUS Attributes. If you do not want to use them, you can configure them locally instead. For details, see system accprofile.

To use this command, your administrator account’s access control profile must have either w or rw permission to the authusergrp area. For details, see Permissions.

Syntax

config user radius-user

edit "<radius-query_name>"

set secret "<password_str>"

set server {radius_ipv4 | radius_ipv6 | domain name}

set server-port <port_int>

set auth-type {default | chap | ms_chap | ms_chap_v2 | pap}

set nas-ip "<nas_ipv4>"

set secondary-secret "<password_str>"

set secondary-server {radius2_ipv4 | domain name}

set secondary-server-port <port_int>

set fac-push {enable | disable}

next

end

Variable Description Default

"<radius-query_name>"

Enter a unique name that can be referenced in other parts of the configuration.

Do not use spaces or special characters. The maximum length is 63 characters.

To display the list of existing queries, enter:

edit ?

Note: This is the name of the query only, not the administrator or end-user’s account name/login, which is defined by either "<administrator_name>" or username "<user_str>".

No default.

secret "<password_str>"

Enter the RADIUS server secret key for the primary RADIUS server. The primary server secret key should be a maximum of 16 characters in length, but is allowed to be up to 63 characters. No default.

server {radius_ipv4 | radius_ipv6 | domain name}

Enter the IP address or domain name of the RADIUS server to query for users. No default.

server-port <port_int>

Enter the port number where the RADIUS server listens. The valid range is 1–65535. 1812

auth-type {default | chap | ms_chap | ms_chap_v2 | pap}

Enter the authentication method. The default option uses PAP, MS-CHAP-V2, and CHAP, in that order. default

nas-ip "<nas_ipv4>"

Enter the NAS IP address and called station ID. For details, see RFC 2548 (http://www.ietf.org/rfc/rfc2548.txt). If you do not enter an IP address, the IP address of the network interface that the FortiWeb appliance uses to communicate with the RADIUS server is applied. 0.0.0.0

secondary-secret "<password_str>"

Enter the RADIUS server secret key for the secondary RADIUS server. The secondary server secret key should be a maximum of 16 characters in length, but is allowed to be up to 63 characters. No default.

secondary-server {radius2_ipv4 | domain name}

Enter the IP address or domain name of the secondary RADIUS server. No default.

secondary-server-port <port_int>

Enter the port number where the secondary RADIUS server listens. The valid range is 1–65535. 1812

fac-push {enable | disable}

If you are using FAC Radius server to authenticate clients, you can enable this option to send FortiToken mobile notification automatically to clients for extra token authentication.

disable

Related topics

user radius-user

user radius-user

Use this command to configure RADIUS queries used to authenticate end-users and/or administrators.

If you use a RADIUS query for administrators, separate it from the queries for regular users. Do not combine administrator and user queries into a single entry. Failure to separate queries will allow end-users to have administrative access the FortiWeb web UI and CLI.

Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication, authorization, and accounting functions. The FortiWeb authentication feature uses RADIUS user queries to authenticate and authorize HTTP requests. (The HTTP protocol does not support active logouts, and can only passively log out users when their connection times out. Therefore FortiWeb does not fully support RADIUS accounting.) RADIUS authentication with realms (e.g., the person logs in with an account such as admin@example.com) are supported.

To authenticate a user, the FortiWeb appliance sends the user’s credentials to RADIUS for authentication. If RADIUS authentication succeeds, the user is successfully authenticated with the FortiWeb appliance. If RADIUS authentication fails, the appliance refuses the connection. To override the default authentication scheme, select a specific authentication protocol or change the default RADIUS port.

To incorporate RADIUS users, they must be in a user group selected within an authentication rule, which is in turn selected within an authentication policy. For details, see server-policy custom-application application-policy.

For access profiles, FortiWeb appliances support RFC 2548 (http://www.ietf.org/rfc/rfc2548.txt) Microsoft Vendor-specific RADIUS Attributes. If you do not want to use them, you can configure them locally instead. For details, see system accprofile.

To use this command, your administrator account’s access control profile must have either w or rw permission to the authusergrp area. For details, see Permissions.

Syntax

config user radius-user

edit "<radius-query_name>"

set secret "<password_str>"

set server {radius_ipv4 | radius_ipv6 | domain name}

set server-port <port_int>

set auth-type {default | chap | ms_chap | ms_chap_v2 | pap}

set nas-ip "<nas_ipv4>"

set secondary-secret "<password_str>"

set secondary-server {radius2_ipv4 | domain name}

set secondary-server-port <port_int>

set fac-push {enable | disable}

next

end

Variable Description Default

"<radius-query_name>"

Enter a unique name that can be referenced in other parts of the configuration.

Do not use spaces or special characters. The maximum length is 63 characters.

To display the list of existing queries, enter:

edit ?

Note: This is the name of the query only, not the administrator or end-user’s account name/login, which is defined by either "<administrator_name>" or username "<user_str>".

No default.

secret "<password_str>"

Enter the RADIUS server secret key for the primary RADIUS server. The primary server secret key should be a maximum of 16 characters in length, but is allowed to be up to 63 characters. No default.

server {radius_ipv4 | radius_ipv6 | domain name}

Enter the IP address or domain name of the RADIUS server to query for users. No default.

server-port <port_int>

Enter the port number where the RADIUS server listens. The valid range is 1–65535. 1812

auth-type {default | chap | ms_chap | ms_chap_v2 | pap}

Enter the authentication method. The default option uses PAP, MS-CHAP-V2, and CHAP, in that order. default

nas-ip "<nas_ipv4>"

Enter the NAS IP address and called station ID. For details, see RFC 2548 (http://www.ietf.org/rfc/rfc2548.txt). If you do not enter an IP address, the IP address of the network interface that the FortiWeb appliance uses to communicate with the RADIUS server is applied. 0.0.0.0

secondary-secret "<password_str>"

Enter the RADIUS server secret key for the secondary RADIUS server. The secondary server secret key should be a maximum of 16 characters in length, but is allowed to be up to 63 characters. No default.

secondary-server {radius2_ipv4 | domain name}

Enter the IP address or domain name of the secondary RADIUS server. No default.

secondary-server-port <port_int>

Enter the port number where the secondary RADIUS server listens. The valid range is 1–65535. 1812

fac-push {enable | disable}

If you are using FAC Radius server to authenticate clients, you can enable this option to send FortiToken mobile notification automatically to clients for extra token authentication.

disable

Related topics