Fortinet black logo

Administration Guide

Policies

Policies

RADIUS policy configuration is available in Authentication > RADIUS Service > Policies.

FortiAuthenticator RADIUS authentication requires that RADIUS clients are assigned one or more policies. Policies can be created for Password/OTP, MAC authentication bypass (MAB), and EAP-TLS authentication.

To distinguish authentication requirements for clients, RADIUS attributes can be added to policies to indicate the type of service the user has requested or the type of service that is provided. Each policy can contain up to two RADIUS attributes.

FortiAuthenticator attempts to match the RADIUS attributes from an authentication request to each policy, starting with the top policy in the list, and moves down until a match is found. Policy priority can be re-ordered by selecting the up and down icons next to each policy in the list.

To configure a RADIUS policy:
  1. Go to Authentication > RADIUS Service > Policies, and click Create New to add a new RADIUS policy.
    The RADIUS Policy Creation Wizard is launched.
  2. Configure the RADIUS policy:
    Note

    Displayed configuration settings vary depending on the Authentication type selected. The list below contains all possible settings, but only settings that are applicable to your configuration are shown in the GUI.

    RADIUS clients

    The policy name, description, and clients.

    Policy name

    Enter a name to identify the RADIUS policy.

    Description Optionally, provide a description of the policy.

    RADIUS clients

    Choose the clients to which this policy applies.

    For more information, see Clients.

    RADIUS attribute criteria

    The attributes that must be present in the RADIUS authentication request in order to be processed by this policy.

    RADIUS authentication request must contain specific attributes

    When enabled, RADIUS authentication requests must contain specific attributes from the FortiAuthenticator's list of vendors, viewable at Authentication > RADIUS Service > Custom Dictionaries.

    Authentication type

    The type of end-user authentication used by this policy.

    Password/OTP authentication

    Configure password or one-time password authentication on selected realms.

    When Accept EAP is enabled, password/OTP authentication can be configured to accept EAP, including PEAP, EAP-TTLS, and EAP-GTC.

    MAC authentication bypass (MAB)

    Configure MAC authentication bypass (MAB) for certain devices, provided their MAC addresses appear in the User-Name, User-Password, and Calling-Station-ID attributes.

    Client Certificates (EAP-TLS)

    Configure client certificates (EAP-TLS) to verify the certificate provided by the end-user. A certificate is deemed valid if ALL of the following conditions match the certificate binding settings of one of the configured local or remote users:

    • End-user certificate "Subject" has a CN value AND that value matches the "Common name" certificate binding setting of one of the configured local or remote users.
    • End-user certificate "Issuer" matches the "CA" certificate binding setting of that same configured user account.
    • End-user certificate is properly signed.
    • End-user certificate is NOT expired.

    For example, if an end-user provides a certificate with the following fields:

    • Subject: CN=SAM, OU=Sales, DC=Company, DC=com
    • Issuer: CN=MyCA, OU=IT, DC=Company, DC=com
    • Properly signed and not expired.

    This certificate would be deemed valid if it matches a configured user account with the following certificate binding settings:

    • Common name: Sam
    • CA: CN=MyCA, OU=IT, DC=Company, DC=com

    Identity source

    The identity sources against which to authenticate end-users.

    Identity source settings vary depending on the authentication type selected.

    Username format

    Select one of the following three username input formats:

    • username@realm
    • realm\username
    • realm/username

    These settings are only displayed for Password/OTP and EAP-TLS authentication.

    Realms

    Add realms to which the client will be associated.

    • Select a realm from the dropdown menu in the Realm column.
    • Select whether or not to allow local users to override remote users for the selected realm.
    • Select whether or not to use Windows AD domain authentication.
    • Edit the group filter as needed to filter users based on the groups they are in.
    • If necessary, add more realms to the list.
    • Select the realm that will be the default realm for this client.

    These settings are only displayed for Password/OTP and EAP-TLS authentication.

    MAC groups

    Define the allowed and blocked groups for this feature.

    MAC groups must be first created under Authentication > User Management > User Groups, where the Type is MAC.

    Optionally, you can require the Call-Check attribute for MAC-based authentication.

    These settings are only displayed for MAC authentication bypass (MAB) authentication.

    Authentication factors

    The authentication factors to verify.

    Authentication factor settings are only displayed for Password/OTP and EAP-TLS authentication types.

    Authentication type

    Select one of the following:

    • Mandatory two-factor authentication: Two-factor authentication is required for every user.
    • Verify all configured authentication factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
    • Password-only authentication: Authenticate users through password verification only. User accounts for which password authentication is disabled cannot be authenticated.
    • Token-only authentication: Authenticate users through token verification only. User accounts for which token authentication is disabled cannot be authenticated.

    Reject usernames containing uppercase letters

    Enable this setting to reject usernames that contain uppercase letters.

    Device authorization

    To allow 802.1X authentication for non-interactive devices, FortiAuthenticator can identify and bypass authentication for a device based on its MAC address.

    This is used for devices that do not allow the usual username or password input to perform 802.1X authentication, such as network printers. MAC devices can be specified in Authentication > User Management > MAC Devices.

    When Verify MAC address in authentication requests is enabled, you can select the RADIUS attribute and authorized group. The default RADIUS attribute is Calling-Station-Id.

    Allow FortiToken Mobile push notifications

    Enable this setting to allow FortiToken Mobile push notifications for RADIUS users.

    This setting is controlled on a per RADIUS client basis, not for specific users.

    RADIUS response

    The content of the RADIUS authentication response based on the outcome of the authentication.
  3. Select OK to add the new RADIUS policy.

Policies

RADIUS policy configuration is available in Authentication > RADIUS Service > Policies.

FortiAuthenticator RADIUS authentication requires that RADIUS clients are assigned one or more policies. Policies can be created for Password/OTP, MAC authentication bypass (MAB), and EAP-TLS authentication.

To distinguish authentication requirements for clients, RADIUS attributes can be added to policies to indicate the type of service the user has requested or the type of service that is provided. Each policy can contain up to two RADIUS attributes.

FortiAuthenticator attempts to match the RADIUS attributes from an authentication request to each policy, starting with the top policy in the list, and moves down until a match is found. Policy priority can be re-ordered by selecting the up and down icons next to each policy in the list.

To configure a RADIUS policy:
  1. Go to Authentication > RADIUS Service > Policies, and click Create New to add a new RADIUS policy.
    The RADIUS Policy Creation Wizard is launched.
  2. Configure the RADIUS policy:
    Note

    Displayed configuration settings vary depending on the Authentication type selected. The list below contains all possible settings, but only settings that are applicable to your configuration are shown in the GUI.

    RADIUS clients

    The policy name, description, and clients.

    Policy name

    Enter a name to identify the RADIUS policy.

    Description Optionally, provide a description of the policy.

    RADIUS clients

    Choose the clients to which this policy applies.

    For more information, see Clients.

    RADIUS attribute criteria

    The attributes that must be present in the RADIUS authentication request in order to be processed by this policy.

    RADIUS authentication request must contain specific attributes

    When enabled, RADIUS authentication requests must contain specific attributes from the FortiAuthenticator's list of vendors, viewable at Authentication > RADIUS Service > Custom Dictionaries.

    Authentication type

    The type of end-user authentication used by this policy.

    Password/OTP authentication

    Configure password or one-time password authentication on selected realms.

    When Accept EAP is enabled, password/OTP authentication can be configured to accept EAP, including PEAP, EAP-TTLS, and EAP-GTC.

    MAC authentication bypass (MAB)

    Configure MAC authentication bypass (MAB) for certain devices, provided their MAC addresses appear in the User-Name, User-Password, and Calling-Station-ID attributes.

    Client Certificates (EAP-TLS)

    Configure client certificates (EAP-TLS) to verify the certificate provided by the end-user. A certificate is deemed valid if ALL of the following conditions match the certificate binding settings of one of the configured local or remote users:

    • End-user certificate "Subject" has a CN value AND that value matches the "Common name" certificate binding setting of one of the configured local or remote users.
    • End-user certificate "Issuer" matches the "CA" certificate binding setting of that same configured user account.
    • End-user certificate is properly signed.
    • End-user certificate is NOT expired.

    For example, if an end-user provides a certificate with the following fields:

    • Subject: CN=SAM, OU=Sales, DC=Company, DC=com
    • Issuer: CN=MyCA, OU=IT, DC=Company, DC=com
    • Properly signed and not expired.

    This certificate would be deemed valid if it matches a configured user account with the following certificate binding settings:

    • Common name: Sam
    • CA: CN=MyCA, OU=IT, DC=Company, DC=com

    Identity source

    The identity sources against which to authenticate end-users.

    Identity source settings vary depending on the authentication type selected.

    Username format

    Select one of the following three username input formats:

    • username@realm
    • realm\username
    • realm/username

    These settings are only displayed for Password/OTP and EAP-TLS authentication.

    Realms

    Add realms to which the client will be associated.

    • Select a realm from the dropdown menu in the Realm column.
    • Select whether or not to allow local users to override remote users for the selected realm.
    • Select whether or not to use Windows AD domain authentication.
    • Edit the group filter as needed to filter users based on the groups they are in.
    • If necessary, add more realms to the list.
    • Select the realm that will be the default realm for this client.

    These settings are only displayed for Password/OTP and EAP-TLS authentication.

    MAC groups

    Define the allowed and blocked groups for this feature.

    MAC groups must be first created under Authentication > User Management > User Groups, where the Type is MAC.

    Optionally, you can require the Call-Check attribute for MAC-based authentication.

    These settings are only displayed for MAC authentication bypass (MAB) authentication.

    Authentication factors

    The authentication factors to verify.

    Authentication factor settings are only displayed for Password/OTP and EAP-TLS authentication types.

    Authentication type

    Select one of the following:

    • Mandatory two-factor authentication: Two-factor authentication is required for every user.
    • Verify all configured authentication factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
    • Password-only authentication: Authenticate users through password verification only. User accounts for which password authentication is disabled cannot be authenticated.
    • Token-only authentication: Authenticate users through token verification only. User accounts for which token authentication is disabled cannot be authenticated.

    Reject usernames containing uppercase letters

    Enable this setting to reject usernames that contain uppercase letters.

    Device authorization

    To allow 802.1X authentication for non-interactive devices, FortiAuthenticator can identify and bypass authentication for a device based on its MAC address.

    This is used for devices that do not allow the usual username or password input to perform 802.1X authentication, such as network printers. MAC devices can be specified in Authentication > User Management > MAC Devices.

    When Verify MAC address in authentication requests is enabled, you can select the RADIUS attribute and authorized group. The default RADIUS attribute is Calling-Station-Id.

    Allow FortiToken Mobile push notifications

    Enable this setting to allow FortiToken Mobile push notifications for RADIUS users.

    This setting is controlled on a per RADIUS client basis, not for specific users.

    RADIUS response

    The content of the RADIUS authentication response based on the outcome of the authentication.
  3. Select OK to add the new RADIUS policy.