FortiWAN RADIUS Authentication

RADIUS Authentication

Except FortiWAN’s local authentication database described above, FortiWAN supports RADIUS authentication for Web UI login. Please make sure the following settings are complete on the RADIUS server working with FortiWAN.

Add Fortinet’s Vender Specific Attribute (VSA) to /etc/raddb/dictionary:

VENDOR Fortinet 12356 BEGIN‐VENDOR Fortinet …

ATTRIBUTE Fortinet‐FWN‐AVPair 26 string …

END‐VENDOR Fortinet

“12356” is Fortinet’s vender ID, “Fortinet-FWN-AVPair” is the attribute used for working with FortiWAN and “26” is the attribute ID. If the RADIUS server serves with other Fortinet products, please add the correspondent attributes between BEGIN‐VENDOR Fortinet and END‐VENDOR Fortinet.

Construct user database on RADIUS server for authentication. For example, we have accounts

“Administrator/1234” and “admin/(null)” belong to Administrator group, and “Monitor/5678” belongs to Monitor group.

Add the followings to /etc/raddb/users:

Administrator User‐Password := “1234”

Fortinet‐FWN‐AVPair := “user‐group=Administrator” admin User‐Password := “”

Fortinet‐FWN‐AVPair := “user‐group=Administrator”

Monitor User‐Password := “5678”

Fortinet‐FWN‐AVPair := “user‐group=Monitor”

Please make sure “user-group” is specified for every account, or FortiWAN denies the login even the account and password are authorized by RADIUS server.

To enable FortiWAN’s RADIUS authentication, please click the checkbox and complete the configuration below.

Priority Determines priority to the two authentications:

RADIUS, Local Database: Authorize a login via RADIUS first, then try local database if the authentication failed in RADIUS.

Local Database, RADIUS: Authorize a login via local database first, then try RADIUS if the authentication failed in local database.

Server IP IP address of the RADIUS server.
Server Port UDP port number of the RADIUS server (The standard port is 1812, but it might be 1645 for earlier RADIUS).
Secret The secret (password) shared with the RADIUS server.
NAS IP Enter the correspondent NAS-IP-Address attribute for Request/Response Authenticator if it is necessary, or leave it blank. See RFC2865 for details.
NAS Port Enter the correspondent NAS-Port attribute for Request/Response Authenticator if it is necessary, or leave it blank. See RFC2865 for details.
Apply Click to apply the configuration.
This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.