Explorer III

Solved

Creation of Custom VSA

Forum|Forum|1 year ago
March 14, 2025
3 replies
1376 views

We are planning to utilize a RADIUS server for LDAP and OTP authentication. Our objective is to send the Username, Password, and OTP in a single request. To achieve this, we need to create a Custom Vendor-Specific Attribute (VSA) in the FortiGate firewall. This will enable us to include the OTP along with the Username and Password for authentication purposes. Could you please provide the detailed procedure for creating a Custom VSA in the FortiGate firewall?

FortiGate

FortiGate

Best answer by dingjerry_FTNT

Hi @robinh007 ,

I am unfamiliar with Radius and have never heard of including a Username, Password, and OTP in one Radius request.

Here is the article about Fortinet's RADIUS Dictionary and VSAs (latest):

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-s-RADIUS-Dictionary-and-VSAs-latest/ta-p/194896

Stephen_G

Moderator

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Stephen_G - Fortinet Community Team

dingjerry_FTNTAnswer

Staff

Hi @robinh007 ,

I am unfamiliar with Radius and have never heard of including a Username, Password, and OTP in one Radius request.

Here is the article about Fortinet's RADIUS Dictionary and VSAs (latest):

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-s-RADIUS-Dictionary-and-VSAs-latest/ta-p/194896

AEK

SuperUser

I think it depends on the authentication protocol (PAP, CHAP, MSCHAP2 & EAP). Some support challenge response, some support concatenated password-OTP and some may support both.

AEK

robinh007Author

Explorer III

We have defined the protocol as PAP in our radius server.

AEK

SuperUser

PAP is insecure but it supports password-token concatenation.

AEK

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded