Configuring the FortiGate unit to use a RADIUS server
The information you need to configure the FortiGate unit to use a RADIUS server includes
• the RADIUS server’s domain name or IP address
• the RADIUS server’s shared secret key.
You can optionally specify the NAS IP or Called Station ID. When configuring the FortiGate to use a RADIUS server, the FortiGate is a Network Access Server (NAS). If the FortiGate interface has multiple IP addresses, or you want the RADIUS requests to come from a different address you can specify it here. Called Station ID applies to carrier networks. However, if the NAS IP is not included in the RADIUS configuration, the IP of the FortiGate unit interface that communicates with the RADIUS server is used instead.
A maximum of 10 remote RADIUS servers can be configured on the FortiGate unit. One or more servers must be configured on FortiGate before remote users can be configured. To configure remote users, see
“Creating users”.
On the FortiGate unit, the default port for RADIUS traffic is 1812. Some RADIUS servers use port 1645. If this is the case with your server, you can either:
• Re-configure the RADIUS server to use port 1812. See your RADIUS server documentation for more information on this procedure.
or
• Change the FortiGate unit default RADIUS port to 1645 using the CLI:
config system global
set radius-port 1645
end
One wildcard admin account can be added to the FortiGate unit when using RADIUS authentication. This uses the wildcard character to allow multiple admin accounts on RADIUS to use a single account on the FortiGate unit. See
“Example — wildcard admin accounts - CLI”.
To configure the FortiGate unit for RADIUS authentication - web-based manager
1. Go to User & Device > Authentication > RADIUS Servers and select Create New.
2. Enter the following information and select OK.
Name | A name to identify the RADIUS server on the FortiGate unit. |
Primary Server Name/IP | Enter the domain name (such as fgt.exmaple.com) or the IP address of the RADIUS server. |
Primary Server Secret | Enter the server secret key, such as radiusSecret. This can be a maximum of 16 characters long. This must match the secret on the RADIUS primary server. |
Secondary Server Name/IP | Optionally enter the domain name (such as fgt.exmaple.com) or the IP address of the secondary RADIUS server. |
Secondary Server Secret | Optionally, enter the secondary server secret key, such as radiusSecret2. This can be a maximum of 16 characters long. This must match the secret on the RADIUS secondary server. |
Authentication Scheme | If you know the RADIUS server uses a specific authentication protocol, select it from the list. Otherwise select Use Default Authentication Scheme. The Default option will usually work. |
NAS IP/ Called Station ID | Enter the IP address to be used as an attribute in RADIUS access requests. NAS-IP-Address is RADIUS setting or IP address of FortiGate interface used to talk to RADIUS server, if not configured. Called Station ID is same value as NAS-IP Address but in text format. |
Include in every User Group | When enabled this RADIUS server will automatically be included in all user groups. This is useful if all users will be authenticating with the remote RADIUS server. |
| For MAC OS and iOS devices to authenticate, you must use MS-CHAP-v2 authentication. In the CLI, the command is set auth-type ms_chap_v2. |
3. Select OK.
To configure the FortiGate unit for RADIUS authentication - CLI example
config user radius
edit ourRADIUS
set auth-type auto
set server 10.11.102.100
set secret radiusSecret
end
For more information about RADIUS server options, refer to the
FortiGate CLI Reference.