Skip to main content
tnesh
Staff & Editor
tnesh
Staff & Editor
January 3, 2025

Technical Tip: How to configure Radius over TLS (RADSEC) using FortiAuthenticator as Radius Server

  • January 3, 2025
  • 0 replies
  • 1624 views
Description This article describes how to configure Radius over TLS (RADSEC) using FortiAuthenticator as Radius server.
Scope FortiManager/FortiAnalyzer v7.4.6, v7.6.2 and above.
Solution

FortiAuthenticator:

  • Make sure FortiAuthenticator has enabled RADSEC:
    FortiAuthenticator -> System -> Network -> Interfaces -> Enable RADSEC.

 

fac-enable-radsec.png

 

  • Make sure RADSEC certificate -> CN has FortiAuthenticator FQDN:
    • 'radius_cert_fqdn' will be used as the RADSEC server certificate in this example.
    • FortiAuthenticator FQDN: lfac.fortilab.com.

 

radsec-cert-fqdn.png

 

  • Export the CA certificate that is used to sign the RADSEC certificate.

'lfac_root_ca' (FortiAuthenticator Local CA) is used to sign the 'radius_cert_fqdn' certificate.

 

export-ca-cert.gif

 

  • Create new Radius Clients:
    FortiAuthenticator -> Authentication -> RADIUS Service -> Clients -> Create New.

 

fac-client.png

 

  • Create new Radius Policies:
    FortiAuthenticator -> Authentication -> RADIUS Service -> Policies -> Create New.

 

fac-policies.png

 

  • Select RADSEC Server certificate:
    FortiAuthenticator -> Authentication -> RADIUS Service -> Certificates -> Select the correct certificate.

 

fac-certificate.png

 

  • RADSEC port:
    FortiAuthenticator -> Authentication -> RADIUS Service -> Services -> Capture/edit RADSEC port.

 

fac-radsec-port.png

 

  • Allow RADIUS authentication for FortiAuthenticator users:
    FortiAuthenticator -> Authentication -> User Management.

fac-user-allow-radius.png

 

FortiManager:

  • Import RADSEC server certificate:
    FortiManager -> System Settings -> Certificates -> Import -> CA Certificate.

 

fmg-import-ca-cert.gif

 

  • Create and configure Radius remote authentication server:
    FortiManager -> System Settings -> Remote Authentication server -> Create New -> Radius Server.

Server Name/IP

<Radius server FQDN>

Port

2083 (radsec default port)

Server Secret

<radius secret>

Authentication Type

<radius authentication method>

ca-cert

<radsec server certificate>

protocol

tls

 

fmg-radius-server-settings.png

 

  • Create Administrator with RADIUS type:

Wildcard users will be used as an example:
FortiManager -> System Settings -> Administrators -> Create New.

 

fmg-administrator-radius.png

 

Test Scenario:

Go to FortiManager/FortiAnalyzer GUI and log in with the Radius user.

 

Troubleshooting guide:

  • Enable debugging and look for any error message from the debug output:

 

diagnose debug application auth 255

diagnose debug timestamp enable

diagnose debug enable

 

  • Once debug is enabled, log in with the Radius user and verify the debug output log.

Sample output:

 

FMG # diag debug application auth 255
FMG # diag debug timestamp enable
FMG # diag debug enable
2025-01-03 11:26:46 s81: auth request: user=rad-rw from=GUI(10.10.0.21)
2025-01-03 11:26:46 s81: wildcard admin: radius-rw
2025-01-03 11:26:46 s81: start radius: lfac-radius
2025-01-03 11:26:46 s81:lfac-radius: connecting to server 0: lfac.fortilab.com ip=10.10.10.10 port=2083/tcp
2025-01-03 11:26:46 s81:lfac-radius: send request: type=pap id=26
2025-01-03 11:26:46 s81:lfac-radius: TLSv1.3 connected using TLS_AES_256_GCM_SHA384
2025-01-03 11:26:46 s81:lfac-radius: got reply: code=accept(2) id=26
2025-01-03 11:26:46 s81:lfac-radius: Ftnt-Group: write
2025-01-03 11:26:46 s81:lfac-radius: success
2025-01-03 11:26:46 s81: wildcard admin matched: radius-rw
2025-01-03 11:26:46 s81: auth result: success

 

  • To disable debug output:

diagnose debug reset
diagnose debug disable
    Terms & ConditionsAccessibility statement