Authentication servers

 

RADIUS attributes sent in RADIUS accounting message

RADIUS Attributes

 

Authentication Method 1 2 3 4 5 6 7
 

Web

 

X

 

X

 

X

   

X

   
 

XAuth of IPsec (without

DHCP)

 

X

 

X

 

X

   

X

   
 

XAuth of IPsec (with DHCP)

 

X

 

X

 

X

 

X

 

X

   
 

PPTP/L2TP (in PPP)

 

X

 

X

 

X

 

X

 

X

 

X

 

X

 

SSL-VPN

 

X

 

X

 

X

 

X

 

X

   

 

Vendorspecific attributes

Vendor specific attributes (VSA) are the method RADIUS servers and client companies use to extend the basic functionality of RADIUS. Some major vendors, such as Microsoft, have published their VSAs, however many do not.

In order to support vendor-specific attributes (VSA), the RADIUS server requires a dictionary to define which VSAs to support. This dictionary is typically supplied by the client or server vendor.

The Fortinet RADIUS vendor ID is 12356.

 

The FortiGate unit RADIUS VSA dictionary is supplied by Fortinet and is available through the Fortinet Knowledge Base (http://kb.forticare.com) or through Technical Support. Fortinet’s dictionary for FortiOS 4.0 and up is configured this way:

##

Fortinet’s VSA’s

#

VENDOR fortinet 12356

BEGIN-VENDOR fortinet

ATTRIBUTE Fortinet-Group-Name  1  string ATTRIBUTE Fortinet-Client-IP-Address  2  ipaddr ATTRIBUTE Fortinet-Vdom-Name  3  string

ATTRIBUTE Fortinet-Client-IPv6-Address  4  octets ATTRIBUTE Fortinet-Interface-Name  5  string ATTRIBUTE Fortinet-Access-Profile  6  string

#

# Integer Translations

#

END-VENDOR Fortinet

 

Note that using the Fortinet-Vdom-Name, users can be tied to a specific VDOM on the FortiGate unit. See the documentation provided with your RADIUS server for configuration details.

This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.