FortiWLC – Remote RADIUS Server

Remote RADIUS Server

Network deployments with remote sites that are physically away from their head-quarter (or master data center -DC) can use remote RADIUS server in each of the remote sites for local authentication purposes.

In a typical scenario, a RADIUS server is usually co-located in the DC. Remote sites that required AAA services to authenticate their local clients use the RADIUS server in the DC. This in most cases introduces among other issues high latency between the remote site and its DC. Deploying a RADIUS server within a remote site alleviates this problem and allows remotes sites or branches to use their local AAA services (RADIUS) and not rely on the DC.

Remote RADIUS Server

Before you Begin

Points to note before you begin deploying a remote RADIUS server:

  1. Ensure that the Controller and site AP communication time is less than RADIUS timeout.
  2. Provision for at least one AP that can be configured as a relay AP.
  3. Only Fortinet 11ac APs (AP122, AP822, AP832, and OAP832) in L3-mode can be configured as a relay AP.
  4. In case of WAN survivability, no new 802.1x radius clients will be able to join, until relay AP rediscovers the controller.
How It Works

This feature provides local authentication (.1x, Captive Profile, and mac-filtering) services using a RADIUS server set up in the remote site. In addition to the RADIUS server, the remote site must also configure a Fortinet 11ac AP as a relay AP.  The remote RADIUS profile can be created per ESS profile using the controller’s WebUI (Configuration > RADIUS) or CLI. A remote RADIUS profile works like a regular profile and can be used as primary and secondary RADIUS auth and accounting servers.

About Relay AP
  • The relay AP primarily is used for communicating between the RADIUS server (in the remote site) and the controller in the head-quarters.
  • An AP is set as a relay AP only when it is assigned in the RAIDUS profile. Once an AP is assigned as a relay AP It is recommended that you do not overload the relay AP with client WLAN services. This can result in communication issues between the relay AP and DC. For regular client WLAN services, we recommend the use of a different Fortinet access point. For a remote RAIDUS profile, you cannot configure a secondary relay AP. However, for resilience purposes, we recommend configuring an alternate (backup) RADIUS profile and assigning another AP as a relay AP to this backup RAIDUS profile. In the security profile, set this RADIUS profile as the secondary RADIUS server.

Remote RADIUS Server

The following figure illustrates a simple scenario with local RADIUS deployment.

To configure remote RADIUS via WebUI,

In the Configuration > RADIUS > RADIUS Configuration Table – ADD page, set Remote Radius Server to ON (see 1 in Figure 2).

Select the AP (Remote Radius Relay ApId) to be used as the relay AP (see 2 in Figure 2).

Remote RADIUS Server

Configuring Using CLI

# configure terminal

(config)# radius‐profile RemoteRadius

(config‐radius)# remote‐radius‐server on

(config‐radius)# radius‐relay‐apid XXX

XXX is the AP ID of the relay AP in the remote site.

# configure terminal

(config)# radius‐profile RemoteRadius

(config‐radius)# no remote‐radius‐server

# show radius‐profile <remoteRadius‐profile‐name>

EXAMPLE

# show radius‐profile site‐a   

RADIUS Configuration Table                                                       

RADIUS Profile Name      : site‐a          

Description              : Remote radius profile for Site‐A          

RADIUS IP                : 172.18.1.8     RADIUS Secret            : *****         

RADIUS Port              : 1812          

Remote RADIUS Server

Remote Radius Server     : on            

Remote Radius Relay ApId : 2             

MAC Address Delimiter    : hyphen         Password Type            : shared‐secret  

Called‐Station‐ID Type   : default       

Owner                    : controller    

COA                      : on

This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.