Fortinet white logo
Fortinet white logo

Administration Guide

Configuring a RADIUS server

Configuring a RADIUS server

A RADIUS server can be configured in the GUI by going to User & Authentication > RADIUS Servers, or in the CLI under config user radius.

Basic configuration

The following table summarizes the common RADIUS settings that can be configured in the GUI and CLI.

GUI field

CLI setting

Description

Name

edit <name>

Define the RADIUS server object within FortiOS.

Authentication method

set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}

Specify the authentication method, or select Default/auto to negotiate PAP, MSCHAP_v2, and CHAP in that order.

NAS IP

set nas-ip <IPv4_address>

Optional setting, also known as Calling-Station-Id.

Specify the IP address the FortiGate uses to communicate with the RADIUS server. If left unconfigured, the FortiGate will use the IP address of the interface that communicates with the RADIUS server.

Include in every user group

set all-usergroup {enable | disable}

Optional setting to add the RADIUS server to each user group.

This allows each user group to try and authenticate users against the RADIUS server if local authentication fails.

Primary Server

IP/Name

set server <string>

Enter the IP address or resolvable FQDN of the RADIUS server.

Secret

set secret <password>

Enter the password used to connect to the RADIUS server.

There is an option in the GUI to configure a second server, and a third server can be configured in the CLI (see Using multiple RADIUS servers).

Advanced settings

Advanced settings for RADIUS servers can be configured in the CLI. The following are some commonly used settings.

To edit the port used to connect with the RADIUS server:
config system global
    set radius-port <integer> 
end
To edit the default setting for password encoding and username case sensitivity:
config user radius
    edit <name>
        set password-encoding {auto | ISO-8859-1}
        set username-case-sensitive {enable | disable}
    next
end

password-encoding {auto | ISO-8859-1}

Set the password encoding to use the original encoding or ISO-8859-1 (default = auto). The auth-type must be auto or pap to change this setting.

username-case-sensitive {enable | disable}

Enable/disable case sensitive usernames (default = disable).

To configure different transport protocols:
config user radius
    edit <name>
        set transport-protocol {udp | tcp | tls}
    next
end

transport-protocol {udp | tcp | tls}

Set the type of transport protocol to use:

  • udp: use UDP (default)
  • tcp: use TCP, but no TLS security
  • tls: use TLS over TCP
To configure a RADSEC client with TLS:
config user radius
    edit <name>
        set transport-protocol tls
        set ca-cert <string>
        set client-cert <string>
        set tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}        
        set server-identity-check {enable | disable}
    next
end

ca-cert <string>

Set the CA certificate of server to trust under TLS.

client-cert <string>

Set the client certificate to use under TLS.

tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the minimum supported protocol version for TLS connections:

  • default: follow the system global setting
  • SSLv3: use SSLv3
  • TLSv1: use TLSv1
  • TLSv1-1: use TLSv1.1
  • TLSv1-2: use TLSv1.2

server-identity-check {enable | disable}

Enable/disable RADIUS server identity check, which verifies the server domain name/IP address against the server certificate (default = enable).

For RADSEC over TLS example configuration, see Configuring a RADSEC client.

Caution

It is best practice to enable RADSEC over TLS whenever the FortiGate and RADIUS connection must pass through unencrypted transport. When using TCP and UDP transport modes, it is recommended to ensure the FortiGate and RADIUS connection passes through a trusted network or the connection passes through an encrypted tunnel over untrusted networks.

Note

To account for dynamic IP address changes, such as those governed by SD-WAN rules, interface names can be used to define the source IP addresses in RADIUS, LDAP, and DNS configurations using the source-ip-interface command. See Implement the interface name as the source IP address in RADIUS, LDAP, and DNS configurations.

RADIUS Connection

When using TCP or UDP as transport, it is possible for the RADIUS protocol to be compromised by the vulnerability described in CVE-2024-3596. In order to protect against this RADIUS vulnerability, as a RADIUS client, FortiGate will:

  1. 1. Force the validation of message authenticator.

  2. 2. Reject RADIUS response with unrecognized proxy-state attribute.

Message authenticator checking is made mandatory under UDP/TCP. It is not mandatory when using TLS.

Therefore, if FortiGate is using UDP/TCP mode without RADSEC, the RADIUS server should be patched to ensure the message authenticator attribute is used in its RADIUS messages. Check with your RADIUS server vendor for information about support for the message authenticator attribute.

Caution

It is best practice to enable RADSEC over TLS whenever the FortiGate and RADIUS connection must pass through unencrypted transport. When using TCP and UDP transport modes, it is recommended to ensure the FortiGate and RADIUS connection passes through a trusted network or the connection passes through an encrypted tunnel over untrusted networks.

Configuring a RADIUS server

Configuring a RADIUS server

A RADIUS server can be configured in the GUI by going to User & Authentication > RADIUS Servers, or in the CLI under config user radius.

Basic configuration

The following table summarizes the common RADIUS settings that can be configured in the GUI and CLI.

GUI field

CLI setting

Description

Name

edit <name>

Define the RADIUS server object within FortiOS.

Authentication method

set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}

Specify the authentication method, or select Default/auto to negotiate PAP, MSCHAP_v2, and CHAP in that order.

NAS IP

set nas-ip <IPv4_address>

Optional setting, also known as Calling-Station-Id.

Specify the IP address the FortiGate uses to communicate with the RADIUS server. If left unconfigured, the FortiGate will use the IP address of the interface that communicates with the RADIUS server.

Include in every user group

set all-usergroup {enable | disable}

Optional setting to add the RADIUS server to each user group.

This allows each user group to try and authenticate users against the RADIUS server if local authentication fails.

Primary Server

IP/Name

set server <string>

Enter the IP address or resolvable FQDN of the RADIUS server.

Secret

set secret <password>

Enter the password used to connect to the RADIUS server.

There is an option in the GUI to configure a second server, and a third server can be configured in the CLI (see Using multiple RADIUS servers).

Advanced settings

Advanced settings for RADIUS servers can be configured in the CLI. The following are some commonly used settings.

To edit the port used to connect with the RADIUS server:
config system global
    set radius-port <integer> 
end
To edit the default setting for password encoding and username case sensitivity:
config user radius
    edit <name>
        set password-encoding {auto | ISO-8859-1}
        set username-case-sensitive {enable | disable}
    next
end

password-encoding {auto | ISO-8859-1}

Set the password encoding to use the original encoding or ISO-8859-1 (default = auto). The auth-type must be auto or pap to change this setting.

username-case-sensitive {enable | disable}

Enable/disable case sensitive usernames (default = disable).

To configure different transport protocols:
config user radius
    edit <name>
        set transport-protocol {udp | tcp | tls}
    next
end

transport-protocol {udp | tcp | tls}

Set the type of transport protocol to use:

  • udp: use UDP (default)
  • tcp: use TCP, but no TLS security
  • tls: use TLS over TCP
To configure a RADSEC client with TLS:
config user radius
    edit <name>
        set transport-protocol tls
        set ca-cert <string>
        set client-cert <string>
        set tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}        
        set server-identity-check {enable | disable}
    next
end

ca-cert <string>

Set the CA certificate of server to trust under TLS.

client-cert <string>

Set the client certificate to use under TLS.

tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the minimum supported protocol version for TLS connections:

  • default: follow the system global setting
  • SSLv3: use SSLv3
  • TLSv1: use TLSv1
  • TLSv1-1: use TLSv1.1
  • TLSv1-2: use TLSv1.2

server-identity-check {enable | disable}

Enable/disable RADIUS server identity check, which verifies the server domain name/IP address against the server certificate (default = enable).

For RADSEC over TLS example configuration, see Configuring a RADSEC client.

Caution

It is best practice to enable RADSEC over TLS whenever the FortiGate and RADIUS connection must pass through unencrypted transport. When using TCP and UDP transport modes, it is recommended to ensure the FortiGate and RADIUS connection passes through a trusted network or the connection passes through an encrypted tunnel over untrusted networks.

Note

To account for dynamic IP address changes, such as those governed by SD-WAN rules, interface names can be used to define the source IP addresses in RADIUS, LDAP, and DNS configurations using the source-ip-interface command. See Implement the interface name as the source IP address in RADIUS, LDAP, and DNS configurations.

RADIUS Connection

When using TCP or UDP as transport, it is possible for the RADIUS protocol to be compromised by the vulnerability described in CVE-2024-3596. In order to protect against this RADIUS vulnerability, as a RADIUS client, FortiGate will:

  1. 1. Force the validation of message authenticator.

  2. 2. Reject RADIUS response with unrecognized proxy-state attribute.

Message authenticator checking is made mandatory under UDP/TCP. It is not mandatory when using TLS.

Therefore, if FortiGate is using UDP/TCP mode without RADSEC, the RADIUS server should be patched to ensure the message authenticator attribute is used in its RADIUS messages. Check with your RADIUS server vendor for information about support for the message authenticator attribute.

Caution

It is best practice to enable RADSEC over TLS whenever the FortiGate and RADIUS connection must pass through unencrypted transport. When using TCP and UDP transport modes, it is recommended to ensure the FortiGate and RADIUS connection passes through a trusted network or the connection passes through an encrypted tunnel over untrusted networks.