Fortinet black logo

Administration Guide

Home FortiNAC-F 7.2.0 Administration Guide
7.2.0
7.4.0
7.2.0

Local Servers

Local Servers

Disabled by default.

Authentication:

  • FortiNAC’s Local Server processes RADIUS MAC and 802.1x EAP authentication without the need to proxy to an external RADIUS server.

  • FortiNAC-OS Requirement: "radius-local" option must be included in the "set allowaccess" command. See Open ports for details.

Accounting:

  • The Local Server does not provide accounting. If accounting is required, FortiNAC can be configured to proxy Accounting traffic to an external RADIUS server.

  • FortiNAC-OS Requirement: "radius-acct" option must be included in the "set allowaccess" command. See Open ports for details.

FortiNAC processes both RADIUS MAC and 802.1x EAP authentication locally and does not require an external RADIUS server.

Supported 802.1x EAP modes:

  • TTLS/PAP
  • TTLS/MSCHAPv2
  • PEAP/MSCHAPv2
  • TLS

Field

Description

Name

Unique name used to identify the configuration.
TLS Service Configuration

Select the TLS Service Configuration to use.

Allows configuration of TLS Protocol versions and Ciphers for EAP in the Local Server.

TLS Details.

  • Name: Unique name used to identify the configuration.

  • Cerificate Alias: Select the Certificate to use when securing communication. Certificates may be uploaded using the Certificate management view.

  • Automatically Update Ciphers And Protocols on Upgrade: If true, the settings for both Ciphers and TLS Protocols will become managed by FortiNAC. Upon upgrade, the system will automatically configure the TLS Service Configuration to the latest recommended Ciphers and Protocols.

  • TLS Protocols: The list of TLS Protocols to allow by the server. At least one TLS Protocol must be selected. TLS Protocols must be supported by both client and server, so disabling Protocols may prevent some Persistent Agents from communicating.

  • Ciphers: The Cipher Suite to use when encoding messages using TLS. At least one Cipher must be selected. Ciphers must be supported by both client and server, so disabling Ciphers may prevent some Persistent Agents from communicating.

Supported EAP Types

Allows configuration of which EAP types are enabled. The field displays the EAP Types currently enabled. Click the drill down menu to view the available types. Click on a specific type to either enable or disable:

  • TLS - Requires the Endpoint Trust Certificate to be installed. For installation instructions see Certificate management

  • TTLS

  • PEAP

  • LEAP

  • MD5

  • GTC

  • MSCHAPV2
Winbind Domain(s) For MSCHAPv2 authentication, specify the winbind instances for the allowed Active Directory server(s) or 'Allow Any' for authentication using any defined servers. Manage winbind instances in the Winbind tab. For more details on configuring winbinds see Winbind .
Enable OCSP

If enabled, EAP-TLS client certificates will have OCSP verification performed, using the URL embedded in the client certificate. Important: Certificates must contain the OCSP URL. Otherwise, client authentication will fail.

Previous
Next

Local Servers

Disabled by default.

Authentication:

  • FortiNAC’s Local Server processes RADIUS MAC and 802.1x EAP authentication without the need to proxy to an external RADIUS server.

  • FortiNAC-OS Requirement: "radius-local" option must be included in the "set allowaccess" command. See Open ports for details.

Accounting:

  • The Local Server does not provide accounting. If accounting is required, FortiNAC can be configured to proxy Accounting traffic to an external RADIUS server.

  • FortiNAC-OS Requirement: "radius-acct" option must be included in the "set allowaccess" command. See Open ports for details.

FortiNAC processes both RADIUS MAC and 802.1x EAP authentication locally and does not require an external RADIUS server.

Supported 802.1x EAP modes:

  • TTLS/PAP
  • TTLS/MSCHAPv2
  • PEAP/MSCHAPv2
  • TLS

Field

Description

Name

Unique name used to identify the configuration.
TLS Service Configuration

Select the TLS Service Configuration to use.

Allows configuration of TLS Protocol versions and Ciphers for EAP in the Local Server.

TLS Details.

  • Name: Unique name used to identify the configuration.

  • Cerificate Alias: Select the Certificate to use when securing communication. Certificates may be uploaded using the Certificate management view.

  • Automatically Update Ciphers And Protocols on Upgrade: If true, the settings for both Ciphers and TLS Protocols will become managed by FortiNAC. Upon upgrade, the system will automatically configure the TLS Service Configuration to the latest recommended Ciphers and Protocols.

  • TLS Protocols: The list of TLS Protocols to allow by the server. At least one TLS Protocol must be selected. TLS Protocols must be supported by both client and server, so disabling Protocols may prevent some Persistent Agents from communicating.

  • Ciphers: The Cipher Suite to use when encoding messages using TLS. At least one Cipher must be selected. Ciphers must be supported by both client and server, so disabling Ciphers may prevent some Persistent Agents from communicating.

Supported EAP Types

Allows configuration of which EAP types are enabled. The field displays the EAP Types currently enabled. Click the drill down menu to view the available types. Click on a specific type to either enable or disable:

  • TLS - Requires the Endpoint Trust Certificate to be installed. For installation instructions see Certificate management

  • TTLS

  • PEAP

  • LEAP

  • MD5

  • GTC

  • MSCHAPV2
Winbind Domain(s) For MSCHAPv2 authentication, specify the winbind instances for the allowed Active Directory server(s) or 'Allow Any' for authentication using any defined servers. Manage winbind instances in the Winbind tab. For more details on configuring winbinds see Winbind .
Enable OCSP

If enabled, EAP-TLS client certificates will have OCSP verification performed, using the URL embedded in the client certificate. Important: Certificates must contain the OCSP URL. Otherwise, client authentication will fail.

Previous
Next