Configuring a RADIUS server
A RADIUS server can be configured in the GUI by going to User & Authentication > RADIUS Servers, or in the CLI under config user radius
.
Basic configuration
The following table summarizes the common RADIUS settings that can be configured in the GUI and CLI.
GUI field |
CLI setting |
Description |
---|---|---|
Name |
edit <name> |
Define the RADIUS server object within FortiOS. |
Authentication method |
set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap} |
Specify the authentication method, or select Default/ |
NAS IP |
set nas-ip <IPv4_address> |
Optional setting, also known as Calling-Station-Id. Specify the IP address the FortiGate uses to communicate with the RADIUS server. If left unconfigured, the FortiGate will use the IP address of the interface that communicates with the RADIUS server. |
Include in every user group |
set all-usergroup {enable | disable} |
Optional setting to add the RADIUS server to each user group. This allows each user group to try and authenticate users against the RADIUS server if local authentication fails. |
Primary Server |
||
IP/Name |
set server <string> |
Enter the IP address or resolvable FQDN of the RADIUS server. |
Secret |
set secret <password> |
Enter the password used to connect to the RADIUS server. |
There is an option in the GUI to configure a second server, and a third server can be configured in the CLI (see Using multiple RADIUS servers).
Advanced settings
Advanced settings for RADIUS servers can be configured in the CLI. The following are some commonly used settings.
To edit the port used to connect with the RADIUS server:
config system global set radius-port <integer> end
To edit the default setting for password encoding and username case sensitivity:
config user radius edit <name> set password-encoding {auto | ISO-8859-1} set username-case-sensitive {enable | disable} next end
password-encoding {auto | ISO-8859-1} |
Set the password encoding to use the original encoding or ISO-8859-1 (default = auto). The |
username-case-sensitive {enable | disable} |
Enable/disable case sensitive usernames (default = disable). |
To configure different transport protocols:
config user radius edit <name> set transport-protocol {udp | tcp | tls} next end
transport-protocol {udp | tcp | tls} |
Set the type of transport protocol to use:
|
To configure a RADSEC client with TLS:
config user radius edit <name> set transport-protocol tls set ca-cert <string> set client-cert <string> set tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2} set server-identity-check {enable | disable} next end
ca-cert <string> |
Set the CA certificate of server to trust under TLS. |
client-cert <string> |
Set the client certificate to use under TLS. |
tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2} |
Set the minimum supported protocol version for TLS connections:
|
server-identity-check {enable | disable} |
Enable/disable RADIUS server identity check, which verifies the server domain name/IP address against the server certificate (default = enable). |
For RADSEC over TLS example configuration, see Configuring a RADSEC client.
It is best practice to enable RADSEC over TLS whenever the FortiGate and RADIUS connection must pass through unencrypted transport. When using TCP and UDP transport modes, it is recommended to ensure the FortiGate and RADIUS connection passes through a trusted network or the connection passes through an encrypted tunnel over untrusted networks. |
RADIUS Connection
When using TCP or UDP as transport, it is possible for the RADIUS protocol to be compromised by the vulnerability described in CVE-2024-3596. In order to protect against this RADIUS vulnerability, as a RADIUS client, FortiGate will:
-
1. Force the validation of message authenticator.
-
2. Reject RADIUS response with unrecognized
proxy-state
attribute.
Message authenticator checking is made mandatory under UDP/TCP. It is not mandatory when using TLS.
Therefore, if FortiGate is using UDP/TCP mode without RADSEC, the RADIUS server should be patched to ensure the message authenticator attribute is used in its RADIUS messages. Check with your RADIUS server vendor for information about support for the message authenticator attribute.
It is best practice to enable RADSEC over TLS whenever the FortiGate and RADIUS connection must pass through unencrypted transport. When using TCP and UDP transport modes, it is recommended to ensure the FortiGate and RADIUS connection passes through a trusted network or the connection passes through an encrypted tunnel over untrusted networks. |