Skip to main content
ByteHaven
ByteHaven
Explorer II
April 26, 2026
Solved

FortiNAC RADIUS Configuration – Is Winbind Required?

  • April 26, 2026
  • 3 replies
  • 77 views

Hello FNAC admins,

Is it necessary to configure the Winbind part for RADIUS authentication to work properly? Or can RADIUS function normally without integrating Winbind.

Thanks in advance,

BR,

 

Best answer by Markus_M

winbind, as AEK said, is used only for local RADIUS.
That is not entirely correct/complete – Only if your clients require speaking EAP-MSCHAPv2 over RADIUS. For other EAP methods winbind plays no role.

3 replies

AEK
SuperUser
AEK
SuperUser
April 26, 2026

Hi BH

You configure Winbind only if you use FNAC’s local RADIUS.

In case you use RADIUS proxy then it doesn’t require Winbind.

AEK
ByteHaven
ByteHavenAuthor
Explorer II
April 27, 2026

Hello AEK,

 

Local RADIUS, means FortiNAC is the RADIUS server, right ? 

 

BR,

AEK
SuperUser
AEK
SuperUser
April 27, 2026

Correct.

AEK
    Markus_M
    Staff & Editor
    Markus_MAnswer
    Staff & Editor
    April 27, 2026

    winbind, as AEK said, is used only for local RADIUS.
    That is not entirely correct/complete – Only if your clients require speaking EAP-MSCHAPv2 over RADIUS. For other EAP methods winbind plays no role.

      ByteHaven
      ByteHavenAuthor
      Explorer II
      April 27, 2026

      Hello Markus,

       

      In case we configure PAP as authentication type on Fortigate :

      • config user radius
      • edit 
      • set auth-type pap

       we don’t need windbind,correct ?

       

      BR,

       

      Markus_M
      Staff & Editor
      Markus_M
      Staff & Editor
      April 29, 2026

      The FortiGate config doesn’t say much about EAP, it is more important where the object (edit X) is used (WPA Enterprise or 802.1x auth require some EAP method).

      It will depend on the client setting. RADIUS is spoken between FortiGate and the RADIUS server (NAC here), while EAP is tunneled inside RADIUS, but is spoken between the workstation and RADIUS server. The two nodes negotiate the method as well and a result can be EAP-MSCHAPv2.
      Because of that, the FortiGate config won't give an option what EAP method is to be used.

      You can run a packet capture on RADIUS and check the RADIUS packets. Inside them there is EAP and in the first packets you will see the negotiation.

      Emirjons article shows in the first screenshot the Windows setting for when Windows is an EAP client

        ebilcari
        Staff
        ebilcari
        Staff
        April 27, 2026

        Some details are explained here:

         

        Emirjon
          ByteHaven
          ByteHavenAuthor
          Explorer II
          April 27, 2026

          Hello Emirjon,

           

          I will have a look at the article, thank you for sharing.

           

          BR,

            Terms & ConditionsAccessibility statement