user : radius
 
radius
Use this command to add or edit the information used for RADIUS authentication.
The default port for RADIUS traffic is 1812. If your RADIUS server is using a different port you can change the default RADIUS port. You may set a different port for each of your RADIUS servers. The maximum number of remote RADIUS servers that can be configured for authentication is 10.
The RADIUS server is now provided with more information to make authentication decisions, based on values in server, use-management-vdom, nas-ip, and the config user group subcommand config match. Attributes include:
NAS-IP-Address - RADIUS setting or IP address of FortiGate interface used to talk to RADIUS server, if not configured
NAS-Port - physical interface number of the traffic that triggered the authentication
Called-Station-ID - same value as NAS-IP Address but in text format
Fortinet-Vdom-Name - name of VDOM of the traffic that triggered the authentication
NAS-Identifier - configured hostname in non-HA mode; HA cluster group name in HA mode
Acct-Session-ID - unique ID identifying the authentication session
Connect-Info - identifies the service for which the authentication is being performed (web-auth, vpn-ipsec, vpn-pptp, vpn-l2tp, vpn-ssl, admin-login, test)
You may select an alternative authentication method for each server. These include CHAP, PAP, MS-CHAP, and MS-CHAP-v2.
Syntax
config user radius
edit <server_name>
set acct-interim-interval <sec_int>
set all-usergroup {enable | disable}
set auth-type {auto | chap | ms_chap | ms_chap_v2 | pap}
set h3c-compatibility {enable | disable}
set nas-ip <use_ip>
set radius-port <radius_port_num>
set secret <server_password>
set server <domain>
set secondary-secret <sec_server_password>
set secondary-server <sec_server_domain>
set tertiary-secret <ter_server_password>
set tertiary-server <ter_domain>
set source-ip <ipv4_addr>
set timeout <secs_int>
set use-management-vdom {enable | disable}
set rsso {enable | disable}
set rsso-context-timeout <timeout_seconds>
set rsso-endpoint-attribute <RADIUS_attribute>
set rsso-endpoint-block-attribute <RADIUS_attribute>
set rsso-flush-ip-session {enable | disable}
set rsso-log-flags <lflags>
set rsso-log-period <log_time>
set rsso-radius-response {enable | disable}
set rsso-radius-server-port <RADIUS_listen_port>
set rsso-secret <server_password>
set rsso-validate-request-secret {enable | disable}
set sso-attribute <RADIUS_attribute>
set sso-attribute-key <profile_attribute_key>
config accounting-server
edit <id_int>
set status {enable | disable}
set server <domain | IP>
set secret <server_password>
set source-ip <ipv4_addr>
end
end
Variable
Description
Default
edit <server_name>
Enter a name to identify the RADIUS server.
Enter a new name to create a new server definition or enter an existing server name to edit that server definition.
 
acct-interim-interval <sec_int>
Enter the number of seconds between each accounting interim update message. Range 600 to 86 400 seconds.
0
all-usergroup {enable | disable}
Enable to automatically include this RADIUS server in all user groups.
disable
auth-type {auto | chap | ms_chap | ms_chap_v2 | pap}
Select the authentication method for this RADIUS server.
auto uses pap, ms_chap_v2, and chap.
auto
h3c-compatibility {enable | disable}
Enable compatibility with the H3C Intelligent Management Platform (IMC) server. The supplicant requests 802.1X authentication and then sends a second phase security check request to the H3C IMC server.
disable
nas-ip <use_ip>
IP address used as NAS-IP-Address and Called‑Station-ID attribute in RADIUS access requests. RADIUS setting or IP address of FGT interface used to talk with RADIUS server, if not configured.
No default.
radius-port <radius_port_num>
Change the default RADIUS port for this server. The default port for RADIUS traffic is 1812. Range is 0..65535.
1812
secret <server_password>
Enter the RADIUS server shared secret. The server secret key should be a maximum of 16 characters in length.
No default.
server <domain>
Enter the RADIUS server domain name or IP address. The host name must comply with RFC1035.
No default.
secondary-secret <sec_server_password>
Enter the secondary RADIUS server shared secret. The server secret key should be a maximum of 16 characters in length.
No default.
secondary-server <sec_server_domain>
Enter the secondary RADIUS server domain name or IP address.
No default.
tertiary-secret <ter_server_password>
Enter the tertiary RADIUS server shared secret. The server secret key should be a maximum of 16 characters in length.
No default.
tertiary-server <ter_domain>
Optionally, enter the secondary RADIUS server domain name or IP address.
No default.
source-ip <ipv4_addr>
Enter the source IP for communications to RADIUS server.
0.0.0.0
timeout <secs_int>
Enter the timeout in seconds between resending authentication requests. These requests occur during the remoteauthtimeout period set in system global.
5
use-management-vdom {enable | disable}
Enable to use the management VDOM to send all RADIUS requests.
disable
Variable 
Description 
Default 
config accounting-server fields
status {enable | disable}
Enable or disable accounting server configuration.
disable
server <domain | IP>
Enter the accouting server domain name or IP address.
No default.
secret <server_password>
Enter the accouting server shared secret. The server secret key should be a maximum of 16 characters in length.
No default.
source-ip <ipv4_addr>
Enter the source IP for communications to the accouting server.
0.0.0.0
Variable
Description
Default
RADIUS SSO fields
rsso {enable | disable}
Enable RADIUS SSO to configure a RADIUS SSO agent. Then, FortiOS accepts connections on the rsso-radius‑server-port. Other RSSO settings become available.
disable
rsso-context-timeout <timeout_seconds>
When the FortiGate unit receives a RADIUS Start record, the user added to a “user context list” of logged on users. The user is considered logged on until
the FortiGate unit receives a RADIUS Stop record for the user’s end point
or
this timeout period has expired with no communication from the user end point.
This timeout is only required if FortiOS doesn’t receive RADIUS Stop records. However, even if the accounting system does send RADIUS Stop records, this timeout should be set in case the FortiGate unit misses a Stop record.
28800
 
The default timeout is 28800 seconds (8 hours). You can keep this timeout relatively high because its not usually a problem to have a long context list, but entries that are no longer used should be removed regularly. If the timeout is too short, user context entries might be removed prematurely.
 
 
Set the timeout to 0 if you do not want FortiOS to remove entries from the list except in response to RADIUS Stop messages.
 
rsso-endpoint-attribute <RADIUS_attribute>
To extract the user end point identifier from the RADIUS Start record, this field must be set to the name of the RADIUS attribute that contains the end point identifier. You can select the RADIUS_attribute from the list or enter an attribute name. The RADIUS_attribute must match one of the RADIUS attributes in the list. The RADIUS_attribute is case sensitive.
Calling-Station-Id
rsso-endpoint-block-attribute <RADIUS_attribute>
This field specifies a RADIUS attribute that can be used to block a user. If the attribute value is “Block”, FortiOS blocks all traffic from the user’s IP address.
Called-Station-Id
rsso-flush-ip-session {enable | disable}
Enable to flush user IP sessions on RADIUS accounting stop messages.
disable
rsso-log-flags <lflags>
Enter one or more of the following options to configure FortiOS to write event log messages for RADIUS SSO events. You can enter multiple options. Separate the options with a space.
All options except none.
 
none — Disable logging of RADIUS SSO events.
 
 
accounting-event — Enable to write an event log message when FortiOS does not find the expected information in a RADIUS Record. For example, if a RADIUS record contains more than the expected number of addresses.
 
 
accounting-stop-missed — Enable to write an event log message whenever a user context entry timeout expires indicating that FortiOS removed an entry from the user context list without receiving a RADIUS Stop message.
 
 
context-missing — Enable to write an event log message whenever a user context creation timeout expires indicating that FortiOS was not able to match a communication session because a matching entry was not found in the user context list.
 
 
endpoint-block — Enable to write an event log message whenever a user is blocked because the attribute specified in rsso-endpoint-block-attribute has the value “Block”.
 
 
profile-missing — Enable to write an event log message whenever FortiOS cannot find a group name in a RADIUS start message that matches the name of an RSSO user group in FortiOS.
 
 
protocol-error — Enable to write an event log message if RADIUS protocol errors occur. For example, if a RADIUS record contains a RADIUS secret that does not match the one added to the dynamic profile.
 
 
radiusd-other — Enable to write event log messages for other events. The event is described in the log message. For example, write a log message if the memory limit for the user context list is reached and the oldest entries in the table have been dropped.
 
rsso-log-period <log_time>
The time in seconds to group event log messages for dynamic profile events. For example, if the log message period is 30 seconds, FortiOS Carrier generates groups of event log messages every 30 seconds instead of generating event log messages continuously. And the log messages generated each period contain a count of how many events of that type occurred.
If set to 0, FortiOS Carrier generates all event log messages in real time.
0
rsso-radius-response {enable | disable}
Enable if you want FortiOS Carrier to send RADIUS responses after receiving RADIUS Start and Stop records. This setting may be required by your accounting system.
disable
rsso-radius-server-port <RADIUS_listen_port>
If required, change the UDP port number used by the RADIUS accounting server for sending RADIUS records. FortiOS Carrier listens for RADIUS Start and Stop records on this port.
1813
rsso-secret <server_password>
Enter the RADIUS secret used by the RADIUS accounting server.
No default
rsso-validate-request-secret {enable | disable}
Enable if you want FortiOS Carrier to verify that the RADIUS secret matches the RADIUS secret in the RADIUS Start or End record. You can verify the RADIUS secret to verify that the RADIUS record is valid.
disable
sso-attribute <RADIUS_attribute>
To extract a profile group name from the RADIUS Start record, this field must be set to the name of the RADIUS attribute that contains the profile group name. You can select the RADIUS_attribute from the list or enter an attribute name. The RADIUS_attribute must match one of the RADIUS attributes in the list. The RADIUS_attribute is case sensitive.
Class
sso-attribute-key <profile_attribute_key>
Enter a string if the profile attribute contains more data than just the profile group name. The profile key is a text string that always comes directly before the profile group name in the profile attribute. For example, if the profile group name always follows the text string profile, the class attribute could include the string: profile=<profile_name_str>. Where <profile_name_str> is the name of the profile group. Maximum 36 characters.
No default.