Fortinet black logo

Administration Guide

Home FortiNAC-F 7.4.0 Administration Guide
7.4.0
7.4.0
7.2.0

Legacy Proxy

Legacy Proxy

Note

This feature has been deprecated for 7.4+.

Overview

Enabled by default.

Authentication:

  • FortiNAC processes RADIUS MAC but proxies 802.1x EAP authentication to a customer-owned (external) RADIUS server.

  • FortiNAC-OS Requirement: "radius" option must be included in the "set allowaccess" command. See Open ports for details.

Accounting:

  • FortiNAC proxies accounting traffic to a customer-owned (external) RADIUS server.

  • FortiNAC-OS Requirement: "radius-acct" option must be included in the "set allowaccess" command. See Open ports for details.

FortiNAC works with all the known RADIUS server products, including FortiAuthenticator, FreeRADIUS, Steel Belted RADIUS, Microsoft IAS, Cisco ACS, and RADIATOR. To support these uses, RADIUS server profiles must be created in FortiNAC, which can then be assigned as the authentication method for the FortiNAC system or a specific device.

You can create an unlimited number of RADIUS server profiles. Several configuration options are available:

  • System-wide: Default primary and secondary profiles assigned at the system level are used for both captive portal and administrator authentication.
  • In an 802.1x environment:
    • Profiles can be assigned for each individual device.
    • Profiles can be assigned for individual SSIDs.
    • Profiles can be mapped to domains. User names contain a domain name prefix of the user logging onto the network.
    • Profiles can be mapped to a blank domain which would encompass any authenticating user who does not have a domain name prefix as part of his user name.

Fortinet-Group-Name: If the return attributes contain "Fortinet-Group-Name," FortiNAC will create (as needed) a new FNAC group (type user) and add the authenticated user to the group, which can then be used as part of network access policy.

This also applies to cases where FortiNAC is the RADIUS client originating the portal authentication.

When the authentication request is proxied to a proxy RADIUS server and the response is received, the following will occur:

  1. Extract group names from attribute "Fortinet-Group-Name"
  2. Find the user group for each group name, using "RADIUS" and the proxy server profile name as a prefix. For instance for group "Employee" and proxy server profile "FAC1", consider group “RADIUS/FAC1/Employee”
  3. If the user group is not found, create it.Find the user record for the user.
  4. If the user record is not found, create it.
  5. If the user record is not a member of the user group, add it.
  6. Iterate all user groups that exist which start with the "RADIUS + proxy server profile name" prefix but were excluded from the returned Fortinet-Group-Name list and if the user record is found, remove it.

Configuration

RADIUS Proxy port configuration

Allows the RADIUS proxy service to be disabled or the Authentication and Accounting ports to be changed. These ports are independent of each other. This enables FortiNAC to proxy Accounting traffic while processing Authentication requests locally when device models are configured for Local RADIUS Authentication Mode.

RADIUS Server profiles

The first RADIUS Server added becomes the primary server by default. As more servers are added, you can modify which server is the primary.

The encryption method for user names and passwords passed between FortiNAC and the RADIUS server must be set to PAP. This affects the following accounts or user names and passwords created on the RADIUS server:

  • The validation account created for communication with FortiNAC and entered in the RADIUS Server Profile configuration.
  • Network users that access the network via the captive portal and are authenticated through RADIUS.
  • Admin UI users authenticated through RADIUS.
  • VPN Users authenticated through RADIUS.

You should be able to communicate with a RADIUS Server in order to add it to the list. For example, if a RADIUS Server is not currently connected to the network and FortiNAC cannot contact it, you will be asked if you want to add the server anyway.

  1. Click Network > RADIUS
  2. Click Proxy from the upper right hand corner.

Configure Proxy service

  1. Modify the following as appropriate:
    • Authentication Port: Enables/disables the service and defines the authentication port for the RADIUS Proxy. Default: Enabled, 1812 (Cannot be set to the same port as Local RADIUS Authentication port)
    • Accounting Port: Enables/disables the service and defines the accounting port for the RADIUS Proxy. Default: Enabled, 1813
  2. Click Save Settings. Changes to the configuration apply within 0-30 seconds.

Add a profile

  1. Click Add.
  2. Enter the parameters for the RADIUS Server profile.
  3. Click the RADIUS Secret field to enter the RADIUS secret.
  4. Enter the User Name.
  5. Click the Password field to enter the Password information.

    Field

    Definition

    Profile Name

    Name displayed in the RADIUS server list.

    Host Name/IP address

    Host name or IP address of the RADIUS server.

    If you are generating certificates using a NSRADIUS appliance, the Fully Qualified Domain Name is required.

    RADIUS Secret

    Encryption key used by the RADIUS server to send authentication information.

    Authentication Port

    Port number through which the RADIUS server communicates.

    Accounting Port

    Port number that the RADIUS server uses for the accounting features, if they are used. If your RADIUS server does not use accounting features, leave the check box blank.

    Last Modified By

    User name of the last user to modify the RADIUS Server.

    Last Modified Date

    Date and time of the last modification to this RADIUS Server.

    Validation account

    User Name

    User name for verifying access to the RADIUS Server. This field is required, but only used when there are multiple RADIUS Servers configured. You must create an account on the RADIUS Server that is used by FortiNAC to communicate with that Server. The encryption method must be set to PAP.

    Password

    Password for verifying access to the RADIUS server. This field is required.

  6. New servers are saved automatically.
  7. Repeat as needed for additional RADIUS servers.

Modify a profile

  1. Click Network > RADIUS > Proxy
  2. Select the RADIUS Server profile and click Modify.
  3. Make the changes. Changes are saved automatically.

Delete a profile

  1. Click Network > RADIUS > Proxy
  2. Select the RADIUS Server profile and click Delete.
Previous
Next

Legacy Proxy

Note

This feature has been deprecated for 7.4+.

Overview

Enabled by default.

Authentication:

  • FortiNAC processes RADIUS MAC but proxies 802.1x EAP authentication to a customer-owned (external) RADIUS server.

  • FortiNAC-OS Requirement: "radius" option must be included in the "set allowaccess" command. See Open ports for details.

Accounting:

  • FortiNAC proxies accounting traffic to a customer-owned (external) RADIUS server.

  • FortiNAC-OS Requirement: "radius-acct" option must be included in the "set allowaccess" command. See Open ports for details.

FortiNAC works with all the known RADIUS server products, including FortiAuthenticator, FreeRADIUS, Steel Belted RADIUS, Microsoft IAS, Cisco ACS, and RADIATOR. To support these uses, RADIUS server profiles must be created in FortiNAC, which can then be assigned as the authentication method for the FortiNAC system or a specific device.

You can create an unlimited number of RADIUS server profiles. Several configuration options are available:

  • System-wide: Default primary and secondary profiles assigned at the system level are used for both captive portal and administrator authentication.
  • In an 802.1x environment:
    • Profiles can be assigned for each individual device.
    • Profiles can be assigned for individual SSIDs.
    • Profiles can be mapped to domains. User names contain a domain name prefix of the user logging onto the network.
    • Profiles can be mapped to a blank domain which would encompass any authenticating user who does not have a domain name prefix as part of his user name.

Fortinet-Group-Name: If the return attributes contain "Fortinet-Group-Name," FortiNAC will create (as needed) a new FNAC group (type user) and add the authenticated user to the group, which can then be used as part of network access policy.

This also applies to cases where FortiNAC is the RADIUS client originating the portal authentication.

When the authentication request is proxied to a proxy RADIUS server and the response is received, the following will occur:

  1. Extract group names from attribute "Fortinet-Group-Name"
  2. Find the user group for each group name, using "RADIUS" and the proxy server profile name as a prefix. For instance for group "Employee" and proxy server profile "FAC1", consider group “RADIUS/FAC1/Employee”
  3. If the user group is not found, create it.Find the user record for the user.
  4. If the user record is not found, create it.
  5. If the user record is not a member of the user group, add it.
  6. Iterate all user groups that exist which start with the "RADIUS + proxy server profile name" prefix but were excluded from the returned Fortinet-Group-Name list and if the user record is found, remove it.

Configuration

RADIUS Proxy port configuration

Allows the RADIUS proxy service to be disabled or the Authentication and Accounting ports to be changed. These ports are independent of each other. This enables FortiNAC to proxy Accounting traffic while processing Authentication requests locally when device models are configured for Local RADIUS Authentication Mode.

RADIUS Server profiles

The first RADIUS Server added becomes the primary server by default. As more servers are added, you can modify which server is the primary.

The encryption method for user names and passwords passed between FortiNAC and the RADIUS server must be set to PAP. This affects the following accounts or user names and passwords created on the RADIUS server:

  • The validation account created for communication with FortiNAC and entered in the RADIUS Server Profile configuration.
  • Network users that access the network via the captive portal and are authenticated through RADIUS.
  • Admin UI users authenticated through RADIUS.
  • VPN Users authenticated through RADIUS.

You should be able to communicate with a RADIUS Server in order to add it to the list. For example, if a RADIUS Server is not currently connected to the network and FortiNAC cannot contact it, you will be asked if you want to add the server anyway.

  1. Click Network > RADIUS
  2. Click Proxy from the upper right hand corner.

Configure Proxy service

  1. Modify the following as appropriate:
    • Authentication Port: Enables/disables the service and defines the authentication port for the RADIUS Proxy. Default: Enabled, 1812 (Cannot be set to the same port as Local RADIUS Authentication port)
    • Accounting Port: Enables/disables the service and defines the accounting port for the RADIUS Proxy. Default: Enabled, 1813
  2. Click Save Settings. Changes to the configuration apply within 0-30 seconds.

Add a profile

  1. Click Add.
  2. Enter the parameters for the RADIUS Server profile.
  3. Click the RADIUS Secret field to enter the RADIUS secret.
  4. Enter the User Name.
  5. Click the Password field to enter the Password information.

    Field

    Definition

    Profile Name

    Name displayed in the RADIUS server list.

    Host Name/IP address

    Host name or IP address of the RADIUS server.

    If you are generating certificates using a NSRADIUS appliance, the Fully Qualified Domain Name is required.

    RADIUS Secret

    Encryption key used by the RADIUS server to send authentication information.

    Authentication Port

    Port number through which the RADIUS server communicates.

    Accounting Port

    Port number that the RADIUS server uses for the accounting features, if they are used. If your RADIUS server does not use accounting features, leave the check box blank.

    Last Modified By

    User name of the last user to modify the RADIUS Server.

    Last Modified Date

    Date and time of the last modification to this RADIUS Server.

    Validation account

    User Name

    User name for verifying access to the RADIUS Server. This field is required, but only used when there are multiple RADIUS Servers configured. You must create an account on the RADIUS Server that is used by FortiNAC to communicate with that Server. The encryption method must be set to PAP.

    Password

    Password for verifying access to the RADIUS server. This field is required.

  6. New servers are saved automatically.
  7. Repeat as needed for additional RADIUS servers.

Modify a profile

  1. Click Network > RADIUS > Proxy
  2. Select the RADIUS Server profile and click Modify.
  3. Make the changes. Changes are saved automatically.

Delete a profile

  1. Click Network > RADIUS > Proxy
  2. Select the RADIUS Server profile and click Delete.
Previous
Next