Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 6.4.8 Administration Guide
    6.4.8
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    RADIUS AVPs and VSAs

    RADIUS AVPs and VSAs

    This topic describes RADIUS Attribute Value Pairs (AVPs) and Vendor-Specific Attributes (VSAs).

    AVPs

    RADIUS packets include a set of AVPs to identify information about the user, their location, and other information. The IETF defined a set of 255 standard attributes, which are well known and come in the form of Type, Length, Value (for more details, refer to RFC 2865). Of the standard 255, the FortiGate sends the following RADIUS attributes:

    RADIUS attribute number

    Name

    Description

    1

    User-Name

    Name of the user being authenticated by the RADIUS server.

    4

    NAS-IP-Address

    IP address of the network access server (NAS) that is requesting authentication. The NAS is the FortiGate.

    8

    Framed-IP-Address

    IP address to be configured for the user, by sending the IP address of a user to the RADIUS server in the Access-Request packet.

    25

    Class

    Used in accounting packets and requests for firewall, WiFi, and proxy authentication. The attribute is returned in the Access-Accept message and is added to all accounting packets.

    26

    Fortinet-VSA

    See VSAs.

    32

    NAS-Identifier

    Identifier or IP address of the NAS that is requesting authentication. The NAS is the FortiGate.

    42

    Acct-Input-Octets

    Number of octets received from the port over the course of this service being provided. Used to charge the user for the amount of traffic they used.

    43

    Acct-Output-Octets

    Number of octets sent to the port while delivering this service. Used to charge the user for the amount of traffic they used.

    44

    Acct-Session-Id

    Unique number assigned to each start and stop record to make it easy to match them, and to eliminate duplicate records.

    55

    Event-Timestamp

    Records the time that the event occurred on the NAS. The timestamp is measured in seconds since January 1, 1970 00:00 UTC. Before the Event-Timestamp attribute can be sent in a packet, make sure that the correct time is set on the FortiGate.

    VSAs

    Some vendors want or need to send attributes that do not match any of the defined IETF attributes. This can be accomplished by using RADIUS attribute type 26, which allows a vendor to encapsulate their own specific attributes in this standard AVP.

    In order to support VSAs, the RADIUS server requires a dictionary to define the VSAs. This dictionary is typically supplied by the client or server vendor.

    The Fortinet RADIUS vendor ID is 12356 and contains the following attributes:

    Attribute name

    Attribute number

    Attribute value format

    Fortinet-Group-Name

    1

    String

    Fortinet-Client-IP-Address

    2

    IP address

    Fortinet-Vdom-Name*

    3

    String

    Fortinet-Client-IPv6-Address

    4

    Octets

    Fortinet-Interface-Name

    5

    String

    Fortinet-Access-Profile

    6

    String

    Fortinet-SSID

    7

    String

    Fortinet-AP-Name

    8

    String

    Fortinet-FAC-Auth-Status

    11

    String

    Fortinet-FAC-Token-ID

    12

    String

    Fortinet-FAC-Challenge-Code

    15

    String

    Fortinet-Webfilter-Category-Allow

    16

    String

    Fortinet-Webfilter-Category-Block

    17

    Octets

    Fortinet-Webfilter-Category-Monitor

    18

    Octets

    Fortinet-AppCtrl-Category-Allow

    19

    Octets

    Fortinet-AppCtrl-Category-Block

    20

    Octets

    Fortinet-AppCtrl-Risk-Allow

    21

    Octets

    Fortinet-AppCtrl-Risk-Block

    22

    Octets

    Fortinet-WirelessController-Device-MAC

    23

    Ether

    Fortinet-WirelessController-WTP-ID

    24

    String

    Fortinet-WirelessController-Assoc-Time

    25

    Date

    Fortinet-FortiWAN-AVPair

    26

    String

    Fortinet-FDD-Access-Profile

    30

    String

    Fortinet-FDD-Trusted-Hosts

    31

    String

    Fortinet-FDD-SPP-Name

    32

    String

    Fortinet-FDD-Is-System-Admin

    33

    String

    Fortinet-FDD-Is-SPP-Admin

    34

    String

    Fortinet-FDD-SPP-Policy-Group

    35

    String

    Fortinet-FDD-Allow-API-Access

    36

    String

    Fortinet-Fpc-User-Role

    40

    String

    Fortinet-Tenant-Identification

    41

    String

    Fortinet-Host-Port-AVPair

    42

    String

    * For Fortinet-Vdom-Name, users can be tied to a specific VDOM on the FortiGate. Refer to the documentation provided by your RADIUS server for configuration details.

    Previous
    Next

    RADIUS AVPs and VSAs

    RADIUS AVPs and VSAs

    This topic describes RADIUS Attribute Value Pairs (AVPs) and Vendor-Specific Attributes (VSAs).

    AVPs

    RADIUS packets include a set of AVPs to identify information about the user, their location, and other information. The IETF defined a set of 255 standard attributes, which are well known and come in the form of Type, Length, Value (for more details, refer to RFC 2865). Of the standard 255, the FortiGate sends the following RADIUS attributes:

    RADIUS attribute number

    Name

    Description

    1

    User-Name

    Name of the user being authenticated by the RADIUS server.

    4

    NAS-IP-Address

    IP address of the network access server (NAS) that is requesting authentication. The NAS is the FortiGate.

    8

    Framed-IP-Address

    IP address to be configured for the user, by sending the IP address of a user to the RADIUS server in the Access-Request packet.

    25

    Class

    Used in accounting packets and requests for firewall, WiFi, and proxy authentication. The attribute is returned in the Access-Accept message and is added to all accounting packets.

    26

    Fortinet-VSA

    See VSAs.

    32

    NAS-Identifier

    Identifier or IP address of the NAS that is requesting authentication. The NAS is the FortiGate.

    42

    Acct-Input-Octets

    Number of octets received from the port over the course of this service being provided. Used to charge the user for the amount of traffic they used.

    43

    Acct-Output-Octets

    Number of octets sent to the port while delivering this service. Used to charge the user for the amount of traffic they used.

    44

    Acct-Session-Id

    Unique number assigned to each start and stop record to make it easy to match them, and to eliminate duplicate records.

    55

    Event-Timestamp

    Records the time that the event occurred on the NAS. The timestamp is measured in seconds since January 1, 1970 00:00 UTC. Before the Event-Timestamp attribute can be sent in a packet, make sure that the correct time is set on the FortiGate.

    VSAs

    Some vendors want or need to send attributes that do not match any of the defined IETF attributes. This can be accomplished by using RADIUS attribute type 26, which allows a vendor to encapsulate their own specific attributes in this standard AVP.

    In order to support VSAs, the RADIUS server requires a dictionary to define the VSAs. This dictionary is typically supplied by the client or server vendor.

    The Fortinet RADIUS vendor ID is 12356 and contains the following attributes:

    Attribute name

    Attribute number

    Attribute value format

    Fortinet-Group-Name

    1

    String

    Fortinet-Client-IP-Address

    2

    IP address

    Fortinet-Vdom-Name*

    3

    String

    Fortinet-Client-IPv6-Address

    4

    Octets

    Fortinet-Interface-Name

    5

    String

    Fortinet-Access-Profile

    6

    String

    Fortinet-SSID

    7

    String

    Fortinet-AP-Name

    8

    String

    Fortinet-FAC-Auth-Status

    11

    String

    Fortinet-FAC-Token-ID

    12

    String

    Fortinet-FAC-Challenge-Code

    15

    String

    Fortinet-Webfilter-Category-Allow

    16

    String

    Fortinet-Webfilter-Category-Block

    17

    Octets

    Fortinet-Webfilter-Category-Monitor

    18

    Octets

    Fortinet-AppCtrl-Category-Allow

    19

    Octets

    Fortinet-AppCtrl-Category-Block

    20

    Octets

    Fortinet-AppCtrl-Risk-Allow

    21

    Octets

    Fortinet-AppCtrl-Risk-Block

    22

    Octets

    Fortinet-WirelessController-Device-MAC

    23

    Ether

    Fortinet-WirelessController-WTP-ID

    24

    String

    Fortinet-WirelessController-Assoc-Time

    25

    Date

    Fortinet-FortiWAN-AVPair

    26

    String

    Fortinet-FDD-Access-Profile

    30

    String

    Fortinet-FDD-Trusted-Hosts

    31

    String

    Fortinet-FDD-SPP-Name

    32

    String

    Fortinet-FDD-Is-System-Admin

    33

    String

    Fortinet-FDD-Is-SPP-Admin

    34

    String

    Fortinet-FDD-SPP-Policy-Group

    35

    String

    Fortinet-FDD-Allow-API-Access

    36

    String

    Fortinet-Fpc-User-Role

    40

    String

    Fortinet-Tenant-Identification

    41

    String

    Fortinet-Host-Port-AVPair

    42

    String

    * For Fortinet-Vdom-Name, users can be tied to a specific VDOM on the FortiGate. Refer to the documentation provided by your RADIUS server for configuration details.

    Previous
    Next