Fortinet black logo

Administration Guide

Home FortiAuthenticator 6.5.1 Administration Guide
6.5.1
6.6.1
6.6.0
6.5.4
6.5.3
6.5.2
6.5.1
6.5.0
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.3.4
6.3.3
6.3.2
6.3.1
6.3.0
6.2.2
6.2.1
6.2.0
6.1.3
6.1.2
6.1.1
6.1.0
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.5.0
5.4.0
5.3.0
5.2.0
5.1.0
5.0.0
4.3.0
4.2.1
4.2.0

RADIUS

RADIUS

If you have existing RADIUS servers, you may choose to continue using them with FortiAuthenticator by configuring them as remote RADIUS servers. This feature can also be used to migrate away from third-party two-factor authentication platforms.

When entering the remote RADIUS server information, if any information is missing or in the wrong format, error messages will highlight the problem for you.
To add a remote RADIUS server entry:
  1. Go to Authentication > Remote Auth. Servers > RADIUS and select Create New. The Create New RADIUS Server window opens.
  2. Enter the following information, then select OK to add the RADIUS server.
    NameEnter the name for the remote RADIUS server on FortiAuthenticator.
    Preferred auth. method

    Select from either MSCHAPv2 (by default), MSCHAP, CHAP, PAP, or Proxy.

    Note: The Proxy option allows FortiAuthenticator to proxy RADIUS authentication sessions without changing the authentication method, meaning FortiAuthenticator passes the authentication credentials sent by the RADIUS client through to the remote RADIUS server unchanged.

    Timeout

    Enter a timeout in seconds between 1-60 seconds (3 by default).

    Note that a high timeout may impact the processing rate of authentication requests if the remote RADIUS server becomes unresponsive.

    Include realm in username

    Enable for eduroam services.

    When enabled, the username string sent to the remote RADIUS server is the same as the username string received from the RADIUS client.

    FortiAuthenticator can now keep the realm portion of the username before proxying.

    This allows FortiAuthenticator to route the RADIUS authentication requests through a hierarchy of RADIUS authentication proxy servers.

    Note: The option is disabled by default.

    Primary ServerEnter the server name or IP address, port, and secret in the fields provided to configure the primary server.
    Secondary ServerOptionally, add redundancy by configuring a secondary server.
    User Migration

    Select Enable learning mode to record and learn users that authenticate against this RADIUS server. This option should be enabled if you need to migrate users from the server to the FortiAuthenticator.

    Select View Learned Users to view the list of learned users. See Learned RADIUS users.

Previous
Next

RADIUS

If you have existing RADIUS servers, you may choose to continue using them with FortiAuthenticator by configuring them as remote RADIUS servers. This feature can also be used to migrate away from third-party two-factor authentication platforms.

When entering the remote RADIUS server information, if any information is missing or in the wrong format, error messages will highlight the problem for you.
To add a remote RADIUS server entry:
  1. Go to Authentication > Remote Auth. Servers > RADIUS and select Create New. The Create New RADIUS Server window opens.
  2. Enter the following information, then select OK to add the RADIUS server.
    NameEnter the name for the remote RADIUS server on FortiAuthenticator.
    Preferred auth. method

    Select from either MSCHAPv2 (by default), MSCHAP, CHAP, PAP, or Proxy.

    Note: The Proxy option allows FortiAuthenticator to proxy RADIUS authentication sessions without changing the authentication method, meaning FortiAuthenticator passes the authentication credentials sent by the RADIUS client through to the remote RADIUS server unchanged.

    Timeout

    Enter a timeout in seconds between 1-60 seconds (3 by default).

    Note that a high timeout may impact the processing rate of authentication requests if the remote RADIUS server becomes unresponsive.

    Include realm in username

    Enable for eduroam services.

    When enabled, the username string sent to the remote RADIUS server is the same as the username string received from the RADIUS client.

    FortiAuthenticator can now keep the realm portion of the username before proxying.

    This allows FortiAuthenticator to route the RADIUS authentication requests through a hierarchy of RADIUS authentication proxy servers.

    Note: The option is disabled by default.

    Primary ServerEnter the server name or IP address, port, and secret in the fields provided to configure the primary server.
    Secondary ServerOptionally, add redundancy by configuring a secondary server.
    User Migration

    Select Enable learning mode to record and learn users that authenticate against this RADIUS server. This option should be enabled if you need to migrate users from the server to the FortiAuthenticator.

    Select View Learned Users to view the list of learned users. See Learned RADIUS users.

Previous
Next