Before the FortiAuthenticator unit can accept RADIUS authentication requests from a FortiGate unit, the FortiGate unit must be registered as a authentication client on the FortiAuthenticator unit.
The FortiAuthenticator RADIUS server is already configured and running with default values. Each user account on the FortiAuthenticator unit has an option to authenticate the user using the RADIUS database.
Every time there is a change to the list of RADIUS authentication clients, two log messages are generated: one for the client change, and one to state that the RADIUS server was restarted to apply the change.
FortiAuthenticator unit allows both RADIUS and remote authentication for RADIUS authentication client entries. If you want to use a remote server, you must configure it first so that you can be select it in the RADIUS authentication client configuration, see Remote authentication servers. You can configure the built-in LDAP server before or after creating client entries, see LDAP service.
RADIUS accounting client can be managed from Authentication > RADIUS Service > Clients.
Clients can be added, imported, deleted, edited, and cloned as needed.
Name | A name to identify the FortiGate unit. | |
Client name/IP | The FQDN or IP address of the unit. | |
Secret | The RADIUS passphrase that the FortiGate unit will use. | |
Description | Optionally, enter information about the FortiGate unit. | |
Authentication method | Select one of the following:
|
|
Username input format | Select one of the following three username input formats:
|
|
Realms | Add realms to which the client will be associated. See Realms.
|
|
Allow MAC-based authentication | To allow 802.1X authentication for non-interactive devices, FortiAuthenticator can identify and bypass authentication for a device based on its MAC address. This is used for devices that do not allow the usual username or password input to perform 802.1X authentication, such as network printers. Enter these units in Authentication > User Management > MAC Devices. For more information, see MAC devices. |
|
Require Call-Check attribute for MAC-based auth | The FortiAuthenticator unit expects the username and password attributes to be set to the source MAC address. This option also requires a Service-Type attribute set to Call Check and a Calling-Station-Id attribute set to the source MAC address. | |
Check machine authentication | Select to check machine based authentication, and apply groups based on the success or failure of the authentication. See Machine authentication. | |
Override group membership when | Select the conditions for when a group membership can be overridden from the Only machine-authenticated and Only user-authenticated drop-down lists. | |
EAP types | Select the 802.1X EAP authentication types to accept. If you require mutual authentication, select EAP-TLS. For more information, see EAP. |
If authentication is failing, check that the authentication client is configured and that its IP address is correctly specified. Common causes of problems are:
|
Authentication client information can be imported as a CSV file by selecting Import in the from the RADIUS client list.
The CSV file has one record per line, with the record format: client name (32 characters max), FQDN or IP address (128 characters max), secret (optional, 63 characters max).
Realms allow multiple domains to authenticate to a single FortiAuthenticator unit. They support both LDAP and RADIUS remote servers. Each RADIUS realm is associated with a name, such as a domain or company name, that is used during the log in process to indicate the remote (or local) authentication server on which the user resides.
For example, the username of the user PJFry, belonging to the company P_Express would become any of the following, depending on the selected format:
The FortiAuthenticator uses the specified realm to identify the back-end RADIUS or LDAP authentication server or servers that are used to authenticate the user.
Acceptable realms can be configured on a per RADIUS server client basis when configured RADIUS service clients. See Clients.
To manage the realms, go to Authentication > RADIUS Service > Realms.
The realm name may only contain letters, numbers, periods, hyphens, and underscores. It cannot start with a special character. |
The FortiAuthenticator unit supports several IEEE 802.1X EAP methods. EAP settings can be configured from Authentication > RADIUS Service > EAP. See EAP for more information.