- RADIUS packets being sent from an unexpected interface, or IP address.
- NAT being performed between the authentication client and the FortiAuthenticator unit.
Before the FortiAuthenticator unit can accept RADIUS authentication requests from a FortiGate unit, the FortiGate unit must be registered as a authentication client on the FortiAuthenticator unit.
The FortiAuthenticator RADIUS server is already configured and running with default values. Each user account on the FortiAuthenticator unit has an option to authenticate the user using the RADIUS database.
Every time there is a change to the list of RADIUS authentication clients, two log messages are generated: one for the client change, and one to state that the RADIUS server was restarted to apply the change.
FortiAuthenticator unit allows both RADIUS and remote authentication for RADIUS authentication client entries. If you want to use a remote server, you must configure it first so that you can be select it in the RADIUS authentication client configuration, see Remote authentication servers. You can configure the built-in LDAP server before or after creating client entries, see LDAP service.
RADIUS accounting client can be managed from Authentication > RADIUS Service > Clients.
Clients can be added, imported, deleted, edited, and cloned as needed.
| Name | A name to identify the FortiGate unit. | |
| Client name/IP | The FQDN or IP address of the unit. | |
| Secret | The RADIUS passphrase that the FortiGate unit will use. | |
| Description | Optionally, enter information about the FortiGate unit. | |
| Authentication method | Select one of the following:
|
|
| Username input format | Select one of the following three username input formats:
|
|
| Realms | Add realms to which the client will be associated. See Realms.
|
|
| Allow MAC-based authentication | To allow 802.1X authentication for non-interactive devices, FortiAuthenticator can identify and bypass authentication for a device based on its MAC address. This is used for devices that do not allow the usual username or password input to perform 802.1X authentication, such as network printers. Enter these units in Authentication > User Management > MAC Devices. For more information, see MAC devices. |
|
| Require Call-Check attribute for MAC-based auth | The FortiAuthenticator unit expects the username and password attributes to be set to the source MAC address. This option also requires a Service-Type attribute set to Call Check and a Calling-Station-Id attribute set to the source MAC address. | |
| Check machine authentication | Select to check machine based authentication, and apply groups based on the success or failure of the authentication. See Machine authentication. | |
| Override group membership when | Select the conditions for when a group membership can be overridden from the Only machine-authenticated and Only user-authenticated drop-down lists. | |
| EAP types | Select the 802.1X EAP authentication types to accept. If you require mutual authentication, select EAP-TLS. For more information, see EAP. |
|
|
|
If authentication is failing, check that the authentication client is configured and that its IP address is correctly specified. Common causes of problems are:
|
FortiAuthenticator supports a single authentication profile for each RADIUS Auth Client. Because of this, authentication requirements (for example IPSec/SSLVPN, Web Filtering Override, Wireless Authentication, and so on) require different profiles, as RADIUS authentication requests originate from the same IP address. To distinguish the authentication requirements, you can add attributes to them.
Attributes (which can be added to authentication requirements) indicate the type of service the user has requested, or the type of service to be provided.
|
|
Each FortiAuthenticator Auth Client Profile can contain up to two RADIUS Attributes. To match a profile, all specified attributes in a profile must match, if not, the processing will fall to the next profile (processed in top down order). |
The profiles created can be re-arranged in terms of priority. FortiAuthenticator attempts to match the RADIUS attributes from an authentication request to each profile, starting with the highest-priority profile, and moves down the list until it finds a match. FortiAuthenticator uses the first profile that it matches.
Authentication client information can be imported as a CSV file by selecting Import in the from the RADIUS client list.
The CSV file has one record per line, with the record format: client name (32 characters max), FQDN or IP address (128 characters max), secret (optional, 63 characters max).
Realms allow multiple domains to authenticate to a single FortiAuthenticator unit. They support both LDAP and RADIUS remote servers. Each RADIUS realm is associated with a name, such as a domain or company name, that is used during the log in process to indicate the remote (or local) authentication server on which the user resides.
For example, the username of the user PJFry, belonging to the company P_Express would become any of the following, depending on the selected format:
The FortiAuthenticator uses the specified realm to identify the back-end RADIUS or LDAP authentication server or servers that are used to authenticate the user.
Acceptable realms can be configured on a per RADIUS server client basis when configured RADIUS service clients. See Clients.
To manage the realms, go to Authentication > RADIUS Service > Realms.
|
|
The realm name may only contain letters, numbers, periods, hyphens, and underscores. It cannot start with a special character. |
The FortiAuthenticator unit supports several IEEE 802.1X EAP methods. EAP settings can be configured from Authentication > RADIUS Service > EAP. See EAP for more information.