Fortinet black logo

Administration Guide

Home FortiNAC-F 7.4.0 Administration Guide

RADIUS

7.4.0
7.4.0
7.2.0
Copy Link
Copy Doc ID 5c5c1a78-d02f-11ee-8c42-fa163e15d75b:214558
Download PDF

RADIUS

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service.

A RADIUS server enables external authentication for users connected to FortiNACmanaged network devices. This type of server is often used in a wireless environment, but also used in wired environments supporting 802.1x authentication.

FortiNAC uses RADIUS authentication for several purposes including:

  • Authenticating users attaching to managed network devices using 802.1x.
  • Authenticating VPN users.
  • Authenticating users accessing FortiNAC's own captive portal process.
  • Authenticating administrators logging onto the FortiNAC system.

As of version 8.8, FortiNAC can be configured to authenticate RADIUS using external RADIUS server(s), the built-in local RADIUS server or a combination of both. There are two RADIUS Authentication modes available for determining how RADIUS requests are processed. These can be configured in FortiNAC on a per-device basis.

802.1x environments

When using 802.1x in a FortiNAC managed environment, it is necessary to configure the following components so that all can communicate successfully:

  • Network devices
  • FortiNAC
  • Production RADIUS server(s)

All the above components must have the same RADIUS secret key value defined. FortiNAC does not modify 802.1x packets as they pass from the network device through to the terminating RADIUS server.

The same requirement exists when using Domain mapping. For instance, many wireless devices that support 802.1x allow a RADIUS server definition for each configured SSID. In such an environment, if two users are connected to the same SSID but to different domains, the RADIUS secret used in both authentication requests would be identical. The users are both using the same RADIUS profile on the wireless device. Assuming FortiNAC were configured to use different terminating RADIUS servers for each domain, it would forward the requests and both servers would need to use the same secret value in order to validate the packets.

Order of precedence

When one or more RADIUS servers are used for authentication coupled with different methods of configuration, it can be difficult to determine which server will be used. The uses for RADIUS servers are as follows:

  • Authenticating FortiNAC administrators.
  • Authenticating network users accessing the network through a VPN.
  • Authenticating network users who come in through the captive portal.
  • Devices that have no RADIUS servers configured in the model configuration.
  • Devices that have specific RADIUS servers configured in the model configuration.
  • SSIDs that have no RADIUS servers configured and inherit from the parent device.
  • SSIDs that have specific RADIUS servers configured.

Unless a specific RADIUS server is configured for a particular device or SSID, these options use the default primary and secondary RADIUS servers. However, if RADIUS server profiles are mapped to domains and the authenticating user's username contains a domain name prefix, then the RADIUS server mapped to the domain takes precedence. The order of precedence to determine which RADIUS server is used is as follows:

  1. If domain mappings exist and an entry matches the domain prefix contained within the user name of a connecting user, then the RADIUS server mapped to the domain is used. Multiple servers can be mapped to a single domain. If the user is not found on the first RADIUS server in the list, FortiNAC checks each server mapped to the domain in turn until the user is found.

  2. If a blank domain has been mapped and an authenticating user does not have a domain prefix in the user name, then the server or servers mapped to the blank domain are used.

    If you create a domain mapping for a RADIUS server with a blank domain name this always takes precedence over the default primary and secondary RADIUS servers because all users who do not use domain name to log in will match this mapping.

  3. If no domain mappings exist, the RADIUS server profile chosen for the originating SSID is used.
  4. If no SSID mapping exists, the RADIUS server profile chosen for the originating device is used.
  5. If no device specific server selection exists, the system-wide default primary and secondary server settings are used.
Previous
Next

RADIUS

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service.

A RADIUS server enables external authentication for users connected to FortiNACmanaged network devices. This type of server is often used in a wireless environment, but also used in wired environments supporting 802.1x authentication.

FortiNAC uses RADIUS authentication for several purposes including:

  • Authenticating users attaching to managed network devices using 802.1x.
  • Authenticating VPN users.
  • Authenticating users accessing FortiNAC's own captive portal process.
  • Authenticating administrators logging onto the FortiNAC system.

As of version 8.8, FortiNAC can be configured to authenticate RADIUS using external RADIUS server(s), the built-in local RADIUS server or a combination of both. There are two RADIUS Authentication modes available for determining how RADIUS requests are processed. These can be configured in FortiNAC on a per-device basis.

802.1x environments

When using 802.1x in a FortiNAC managed environment, it is necessary to configure the following components so that all can communicate successfully:

  • Network devices
  • FortiNAC
  • Production RADIUS server(s)

All the above components must have the same RADIUS secret key value defined. FortiNAC does not modify 802.1x packets as they pass from the network device through to the terminating RADIUS server.

The same requirement exists when using Domain mapping. For instance, many wireless devices that support 802.1x allow a RADIUS server definition for each configured SSID. In such an environment, if two users are connected to the same SSID but to different domains, the RADIUS secret used in both authentication requests would be identical. The users are both using the same RADIUS profile on the wireless device. Assuming FortiNAC were configured to use different terminating RADIUS servers for each domain, it would forward the requests and both servers would need to use the same secret value in order to validate the packets.

Order of precedence

When one or more RADIUS servers are used for authentication coupled with different methods of configuration, it can be difficult to determine which server will be used. The uses for RADIUS servers are as follows:

  • Authenticating FortiNAC administrators.
  • Authenticating network users accessing the network through a VPN.
  • Authenticating network users who come in through the captive portal.
  • Devices that have no RADIUS servers configured in the model configuration.
  • Devices that have specific RADIUS servers configured in the model configuration.
  • SSIDs that have no RADIUS servers configured and inherit from the parent device.
  • SSIDs that have specific RADIUS servers configured.

Unless a specific RADIUS server is configured for a particular device or SSID, these options use the default primary and secondary RADIUS servers. However, if RADIUS server profiles are mapped to domains and the authenticating user's username contains a domain name prefix, then the RADIUS server mapped to the domain takes precedence. The order of precedence to determine which RADIUS server is used is as follows:

  1. If domain mappings exist and an entry matches the domain prefix contained within the user name of a connecting user, then the RADIUS server mapped to the domain is used. Multiple servers can be mapped to a single domain. If the user is not found on the first RADIUS server in the list, FortiNAC checks each server mapped to the domain in turn until the user is found.

  2. If a blank domain has been mapped and an authenticating user does not have a domain prefix in the user name, then the server or servers mapped to the blank domain are used.

    If you create a domain mapping for a RADIUS server with a blank domain name this always takes precedence over the default primary and secondary RADIUS servers because all users who do not use domain name to log in will match this mapping.

  3. If no domain mappings exist, the RADIUS server profile chosen for the originating SSID is used.
  4. If no SSID mapping exists, the RADIUS server profile chosen for the originating device is used.
  5. If no device specific server selection exists, the system-wide default primary and secondary server settings are used.
Previous
Next