Fortinet Document Library

Version:


Table of Contents

Cookbook

6.1.0
Download PDF
Copy Link

Configuring RADIUS client on FortiAuthenticator

The FortiAuthenticator has to be configured to allow RADIUS clients to make authorization requests to it.

To create the RADIUS client:
  1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients, and select Create New.
  2. Enter a Name, the IP address of the FortiGate, and set a Secret.
    The secret is a pre-shared secure password that the FortiGate will use to authenticate to the FortiAuthenticator.

To create the RADIUS policy:
  1. Go to Authentication > RADIUS Service > Policies, and select Create New.
  2. Enter the RADIUS policy name, description, and select the FortiGate RADIUS client.
  3. Do not configure RADIUS attribute criteria.
  4. Set the authentication type as Password/OTP authentication, and enable Accept EAP with only EAP-TTLS selected.
    EAP-TLS should be the only EAP type selected to prevent fallback to a less secure version of authentication if a certificate is not presented by the WiFi client.
  5. Choose a username format (in this example: username@realm), select the Local realm.
  6. Set the authentication method to Password only authentication.
  7. Review the RADIUS response, and click Save and Exit.

Configuring RADIUS client on FortiAuthenticator

The FortiAuthenticator has to be configured to allow RADIUS clients to make authorization requests to it.

To create the RADIUS client:
  1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients, and select Create New.
  2. Enter a Name, the IP address of the FortiGate, and set a Secret.
    The secret is a pre-shared secure password that the FortiGate will use to authenticate to the FortiAuthenticator.

To create the RADIUS policy:
  1. Go to Authentication > RADIUS Service > Policies, and select Create New.
  2. Enter the RADIUS policy name, description, and select the FortiGate RADIUS client.
  3. Do not configure RADIUS attribute criteria.
  4. Set the authentication type as Password/OTP authentication, and enable Accept EAP with only EAP-TTLS selected.
    EAP-TLS should be the only EAP type selected to prevent fallback to a less secure version of authentication if a certificate is not presented by the WiFi client.
  5. Choose a username format (in this example: username@realm), select the Local realm.
  6. Set the authentication method to Password only authentication.
  7. Review the RADIUS response, and click Save and Exit.