Fortinet black logo

Administration Guide

Policies

Policies

RADIUS policy configuration is available in Authentication > RADIUS Service > Policies.

FortiAuthenticator RADIUS authentication requires that RADIUS clients are assigned one or more policies. Policies can be created for Password/OTP, MAC authentication bypass (MAB), and EAP-TLS authentication.

To distinguish authentication requirements for clients, RADIUS attributes can be added to policies to indicate the type of service the user has requested or the type of service that is provided. Each policy can contain up to two RADIUS attributes.

FortiAuthenticator attempts to match the RADIUS attributes from an authentication request to each policy, starting with the top policy in the list, and moves down until a match is found. Policy priority can be re-ordered by selecting the up and down icons next to each policy in the list.

To configure a RADIUS policy:
  1. Go to Authentication > RADIUS Service > Policies, and click Create New to add a new RADIUS policy.
    The RADIUS Policy Creation Wizard is launched.
  2. Configure the RADIUS policy:
    Note

    Displayed configuration settings vary depending on the Authentication type selected. The list below contains all possible settings, but only settings that are applicable to your configuration are shown in the GUI.

    RADIUS clients

    The policy name, description, and clients.

    Policy name

    Enter a name to identify the RADIUS policy.

    Description Optionally, provide a description of the policy.

    RADIUS clients

    Choose the clients to which this policy applies.

    For more information, see Clients.

    RADIUS attribute criteria

    The attributes that must be present in the RADIUS authentication request in order to be processed by this policy.

    RADIUS authentication request must contain specific attributes

    When enabled, RADIUS authentication requests must contain specific attributes from the FortiAuthenticator's list of vendors, viewable at Authentication > RADIUS Service > Dictionaries.

    Authentication type

    The type of end-user authentication used by this policy.

    Password/OTP authentication

    Configure password or one-time password authentication on selected realms.

    When Accept EAP is enabled, password/OTP authentication can be configured to accept EAP, including PEAP, EAP-TTLS, and EAP-GTC.

    MAC authentication bypass (MAB)

    Configure MAC authentication bypass (MAB) for certain devices, provided their MAC addresses appear in the User-Name, User-Password, and Calling-Station-ID attributes.

    Client Certificates (EAP-TLS)

    Configure client certificates (EAP-TLS) to verify the certificate provided by the end-user. A certificate is deemed valid if ALL of the following conditions match the certificate binding settings of one of the configured local or remote users:

    • End-user certificate "Subject" has a CN value AND that value matches the "Common name" certificate binding setting of one of the configured local or remote users.
    • End-user certificate "Issuer" matches the "CA" certificate binding setting of that same configured user account.
    • End-user certificate is properly signed.
    • End-user certificate is NOT expired.

    For example, if an end-user provides a certificate with the following fields:

    • Subject: CN=SAM, OU=Sales, DC=Company, DC=com
    • Issuer: CN=MyCA, OU=IT, DC=Company, DC=com
    • Properly signed and not expired.

    This certificate would be deemed valid if it matches a configured user account with the following certificate binding settings:

    • Common name: Sam
    • CA: CN=MyCA, OU=IT, DC=Company, DC=com

    Identity source

    The identity sources against which to authenticate end-users.

    Identity source settings vary depending on the authentication type selected.

    Username format

    Select one of the following three username input formats:

    • username@realm
    • realm\username
    • realm/username

    These settings are only displayed for Password/OTP and EAP-TLS authentication.

    Use default realm when user-provided realm is different from all configured realms

    When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

    Realms

    Add realms to which the client will be associated.

    • Select a realm from the dropdown menu in the Realm column.
    • Select whether or not to allow local users to override remote users for the selected realm.
    • Select whether or not to use Windows AD domain authentication. See Windows AD domain authentication.
    • Edit the group filter as needed to filter users based on the groups they are in.
    • If necessary, add more realms to the list.
    • Select the realm that will be the default realm for this client.

    These settings are only displayed for Password/OTP and EAP-TLS authentication.

    When editing group filters for remote RADIUS realms, you can enable Allow remote LDAP groups to allow the selection of remote LDAP groups.

    MAC groups

    Define the allowed and blocked groups for this feature.

    MAC groups must be first created under Authentication > User Management > User Groups, where the Type is MAC.

    Optionally, you can require the Call-Check attribute for MAC-based authentication.

    These settings are only displayed for MAC authentication bypass (MAB) authentication.

    Authentication factors

    The authentication factors to verify.

    Authentication factor settings are only displayed for Password/OTP and EAP-TLS authentication types.

    Authentication type

    Select one of the following:

    • Mandatory two-factor authentication: Two-factor authentication is required for every user.
    • Verify all configured authentication factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
    • Password-only authentication: Authenticate users through password verification only. User accounts for which password authentication is disabled cannot be authenticated.
    • Token-only authentication: Authenticate users through token verification only. User accounts for which token authentication is disabled cannot be authenticated.

    RADIUS attribute for user IP

    Enter the radius attribute for the user IP address.

    Framed-IP-Address is the default RADIUS attribute.

    Adaptive Authentication

    Enable this option if you would like to have certain users bypass the OTP validation, so long as they belong to a trusted subnet.

    Select All trusted subnets to add all the available trusted subnets.

    You can specify the trusted subnets by selecting Specify trusted subnets and clicking the pen icon. This opens a window where you can choose from a list of available trusted subnets.

    Adaptive Authentication is available only for the following authentication types:

    • Mandatory two-factor authentication

    • Verify all configured authentication factors

    Device authorization

    To allow 802.1X authentication for non-interactive devices, FortiAuthenticator can identify and bypass authentication for a device based on its MAC address.

    This is used for devices that do not allow the usual username or password input to perform 802.1X authentication, such as network printers. MAC devices can be specified in Authentication > User Management > MAC Devices.

    When Verify MAC address in authentication requests is enabled, you can select the RADIUS attribute and authorized group. The default RADIUS attribute is Calling-Station-Id.

    Advanced Options

    Allow FortiToken Mobile push notifications

    Enable this setting to allow FortiToken Mobile push notifications for RADIUS users.

    This setting is controlled on a per RADIUS client basis, not for specific users.

    Application name for FTM push notification

    Enter the client application name. This field is displayed on the FortiToken app.

    When creating a new policy or upgrading to FortiAuthenticator 6.3, the policy name is the default client application name.

    Resolve user geolocation from their IP address

    Enable to resolve the user geolocation from their IP address (if possible).

    Reject usernames containing uppercase letters

    Enable this setting to reject usernames that contain uppercase letters.

    RADIUS response

    The content of the RADIUS authentication response based on the outcome of the authentication.
  3. Select OK to add the new RADIUS policy.

Windows AD domain authentication

Windows AD domain authentication can be enabled to allow for PEAP-MSCHAPv2 (802.1x) over RADIUS.

When enabled, authentication is performed using NTLM once the FortiAuthenticator has joined the AD domain, replacing the default LDAP authentication process. The ports used with Windows AD domain authentication are TCP/88, 135, 139, and 445.

When determining which LDAP server to authenticate users against, the domain provides a list of domain controllers, and FortiAuthenticator cycles round-robin through them when joining the domain instead of using the primary/secondary IP/FQDN from the remote LDAP server settings. Enabling Preferred Domain Controller Hostname will limit the round-robin activity to the DCs specified by this setting.

Policies

RADIUS policy configuration is available in Authentication > RADIUS Service > Policies.

FortiAuthenticator RADIUS authentication requires that RADIUS clients are assigned one or more policies. Policies can be created for Password/OTP, MAC authentication bypass (MAB), and EAP-TLS authentication.

To distinguish authentication requirements for clients, RADIUS attributes can be added to policies to indicate the type of service the user has requested or the type of service that is provided. Each policy can contain up to two RADIUS attributes.

FortiAuthenticator attempts to match the RADIUS attributes from an authentication request to each policy, starting with the top policy in the list, and moves down until a match is found. Policy priority can be re-ordered by selecting the up and down icons next to each policy in the list.

To configure a RADIUS policy:
  1. Go to Authentication > RADIUS Service > Policies, and click Create New to add a new RADIUS policy.
    The RADIUS Policy Creation Wizard is launched.
  2. Configure the RADIUS policy:
    Note

    Displayed configuration settings vary depending on the Authentication type selected. The list below contains all possible settings, but only settings that are applicable to your configuration are shown in the GUI.

    RADIUS clients

    The policy name, description, and clients.

    Policy name

    Enter a name to identify the RADIUS policy.

    Description Optionally, provide a description of the policy.

    RADIUS clients

    Choose the clients to which this policy applies.

    For more information, see Clients.

    RADIUS attribute criteria

    The attributes that must be present in the RADIUS authentication request in order to be processed by this policy.

    RADIUS authentication request must contain specific attributes

    When enabled, RADIUS authentication requests must contain specific attributes from the FortiAuthenticator's list of vendors, viewable at Authentication > RADIUS Service > Dictionaries.

    Authentication type

    The type of end-user authentication used by this policy.

    Password/OTP authentication

    Configure password or one-time password authentication on selected realms.

    When Accept EAP is enabled, password/OTP authentication can be configured to accept EAP, including PEAP, EAP-TTLS, and EAP-GTC.

    MAC authentication bypass (MAB)

    Configure MAC authentication bypass (MAB) for certain devices, provided their MAC addresses appear in the User-Name, User-Password, and Calling-Station-ID attributes.

    Client Certificates (EAP-TLS)

    Configure client certificates (EAP-TLS) to verify the certificate provided by the end-user. A certificate is deemed valid if ALL of the following conditions match the certificate binding settings of one of the configured local or remote users:

    • End-user certificate "Subject" has a CN value AND that value matches the "Common name" certificate binding setting of one of the configured local or remote users.
    • End-user certificate "Issuer" matches the "CA" certificate binding setting of that same configured user account.
    • End-user certificate is properly signed.
    • End-user certificate is NOT expired.

    For example, if an end-user provides a certificate with the following fields:

    • Subject: CN=SAM, OU=Sales, DC=Company, DC=com
    • Issuer: CN=MyCA, OU=IT, DC=Company, DC=com
    • Properly signed and not expired.

    This certificate would be deemed valid if it matches a configured user account with the following certificate binding settings:

    • Common name: Sam
    • CA: CN=MyCA, OU=IT, DC=Company, DC=com

    Identity source

    The identity sources against which to authenticate end-users.

    Identity source settings vary depending on the authentication type selected.

    Username format

    Select one of the following three username input formats:

    • username@realm
    • realm\username
    • realm/username

    These settings are only displayed for Password/OTP and EAP-TLS authentication.

    Use default realm when user-provided realm is different from all configured realms

    When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

    Realms

    Add realms to which the client will be associated.

    • Select a realm from the dropdown menu in the Realm column.
    • Select whether or not to allow local users to override remote users for the selected realm.
    • Select whether or not to use Windows AD domain authentication. See Windows AD domain authentication.
    • Edit the group filter as needed to filter users based on the groups they are in.
    • If necessary, add more realms to the list.
    • Select the realm that will be the default realm for this client.

    These settings are only displayed for Password/OTP and EAP-TLS authentication.

    When editing group filters for remote RADIUS realms, you can enable Allow remote LDAP groups to allow the selection of remote LDAP groups.

    MAC groups

    Define the allowed and blocked groups for this feature.

    MAC groups must be first created under Authentication > User Management > User Groups, where the Type is MAC.

    Optionally, you can require the Call-Check attribute for MAC-based authentication.

    These settings are only displayed for MAC authentication bypass (MAB) authentication.

    Authentication factors

    The authentication factors to verify.

    Authentication factor settings are only displayed for Password/OTP and EAP-TLS authentication types.

    Authentication type

    Select one of the following:

    • Mandatory two-factor authentication: Two-factor authentication is required for every user.
    • Verify all configured authentication factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
    • Password-only authentication: Authenticate users through password verification only. User accounts for which password authentication is disabled cannot be authenticated.
    • Token-only authentication: Authenticate users through token verification only. User accounts for which token authentication is disabled cannot be authenticated.

    RADIUS attribute for user IP

    Enter the radius attribute for the user IP address.

    Framed-IP-Address is the default RADIUS attribute.

    Adaptive Authentication

    Enable this option if you would like to have certain users bypass the OTP validation, so long as they belong to a trusted subnet.

    Select All trusted subnets to add all the available trusted subnets.

    You can specify the trusted subnets by selecting Specify trusted subnets and clicking the pen icon. This opens a window where you can choose from a list of available trusted subnets.

    Adaptive Authentication is available only for the following authentication types:

    • Mandatory two-factor authentication

    • Verify all configured authentication factors

    Device authorization

    To allow 802.1X authentication for non-interactive devices, FortiAuthenticator can identify and bypass authentication for a device based on its MAC address.

    This is used for devices that do not allow the usual username or password input to perform 802.1X authentication, such as network printers. MAC devices can be specified in Authentication > User Management > MAC Devices.

    When Verify MAC address in authentication requests is enabled, you can select the RADIUS attribute and authorized group. The default RADIUS attribute is Calling-Station-Id.

    Advanced Options

    Allow FortiToken Mobile push notifications

    Enable this setting to allow FortiToken Mobile push notifications for RADIUS users.

    This setting is controlled on a per RADIUS client basis, not for specific users.

    Application name for FTM push notification

    Enter the client application name. This field is displayed on the FortiToken app.

    When creating a new policy or upgrading to FortiAuthenticator 6.3, the policy name is the default client application name.

    Resolve user geolocation from their IP address

    Enable to resolve the user geolocation from their IP address (if possible).

    Reject usernames containing uppercase letters

    Enable this setting to reject usernames that contain uppercase letters.

    RADIUS response

    The content of the RADIUS authentication response based on the outcome of the authentication.
  3. Select OK to add the new RADIUS policy.

Windows AD domain authentication

Windows AD domain authentication can be enabled to allow for PEAP-MSCHAPv2 (802.1x) over RADIUS.

When enabled, authentication is performed using NTLM once the FortiAuthenticator has joined the AD domain, replacing the default LDAP authentication process. The ports used with Windows AD domain authentication are TCP/88, 135, 139, and 445.

When determining which LDAP server to authenticate users against, the domain provides a list of domain controllers, and FortiAuthenticator cycles round-robin through them when joining the domain instead of using the primary/secondary IP/FQDN from the remote LDAP server settings. Enabling Preferred Domain Controller Hostname will limit the round-robin activity to the DCs specified by this setting.