Configuring the FortiGate unit to use a RADIUS server

The information you need to configure the FortiGate unit to use a RADIUS server includes l the RADIUS server’s domain name or IP address l the RADIUS server’s shared secret key.

You can optionally specify the NAS IP or Called Station ID. When configuring the FortiGate to use a RADIUS server, the FortiGate is a Network Access Server (NAS). If the FortiGate interface has multiple IP addresses, or you want the RADIUS requests to come from a different address you can specify it here. Called Station ID applies to carrier networks. However, if the NAS IP is not included in the RADIUS configuration, the IP of the FortiGate unit interface that communicates with the RADIUS server is used instead.

A maximum of 10 remote RADIUS servers can be configured on the FortiGate unit. One or more servers must be configured on FortiGate before remote users can be configured. To configure remote users, see Local and remote users on page 54.

On the FortiGate unit, the default port for RADIUS traffic is 1812. Some RADIUS servers use port 1645. If this is the case with your server, you can either:

  • Re-configure the RADIUS server to use port 1812. See your RADIUS server documentation for more information on this procedure.

or

  • Change the FortiGate unit default RADIUS port to 1645 using the CLI:

config system global set radius-port 1645

end

One wildcard admin account can be added to the FortiGate unit when using RADIUS authentication. This uses the wildcard character to allow multiple admin accounts on RADIUS to use a single account on the FortiGate unit. See Example — wildcard admin accounts – CLI on page 41.

To configure the FortiGate unit for RADIUS authentication – web-based manager:

  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter the following information and select OK.
Name A name to identify the RADIUS server on the FortiGate unit.
Primary Server Name/IP Enter the domain name (such as fgt.exmaple.com) or the IP address of the RADIUS server.
Primary Server Secret Enter the server secret key, such as radiusSecret. This can be a maximum of 16 characters long.

This must match the secret on the RADIUS primary server.

Secondary Server Name/IP Optionally enter the domain name (such as fgt.exmaple.com) or the IP address of the secondary RADIUS server.
Secondary Server Secret Optionally, enter the secondary server secret key, such as radiusSecret2. This can be a maximum of 16 characters long.

This must match the secret on the RADIUS secondary server.

Authentication Scheme If you know the RADIUS server uses a specific authentication protocol, select it from the list. Otherwise select Use Default Authentication Scheme. The Default option will usually work.
NAS IP/ Called Station ID Enter the IP address to be used as an attribute in RADIUS access requests.

NAS-IP-Address is RADIUS setting or IP address of FortiGate interface used to talk to RADIUS server, if not configured.

Called Station ID is same value as NAS-IP Address but in text format.

Include in every User Group When enabled this RADIUS server will automatically be included in all user groups. This is useful if all users will be authenticating with the remote RADIUS server.

 

  1. Select OK.

To configure the FortiGate unit for RADIUS authentication – CLI example:

config user radius edit ourRADIUS set auth-type auto set server 10.11.102.100 set secret radiusSecret

end

For more information about RADIUS server options, refer to the FortiGate CLI Reference.

Troubleshooting RADIUS

To test the connection to the RADIUS server use the following command: diagnose test authserver radius-direct <server_name or IP> <port number> <secret>

For the port number, enter -1 to use the default port. Otherwise enter the port number to check.

Test results show RADIUS server reachability, NAS client rejection, and invalid User/Password. Test also shows RADIUS Attributes returned from the RADIUS server.

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.