Skip to main content
j0ma
j0ma
New Member
March 3, 2025
Solved

FAC - Duplicate entries for RADIUS Client

  • March 3, 2025
  • 3 replies
  • 2651 views

I have a, maybe silly question but maybe someone can answer me..

 

We have FAC setup with RADIUS clients in a 10.10.0.0/16 subnet, mainly used towards switches for MAB.

 

The thing is we want to configure VPN for a firewall with an IP in the same subnet. Is it possible to configure this as a /32 without it being affected in the /16 subnet policy?

Best answer by Markus_M

You can only match to a substring with the given option if present ("Allow substring match").

Regex or wildcards are not possible.

3 replies

Anthony_E
Staff
Anthony_E
Staff
March 6, 2025

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
March 6, 2025

Hi again,

 

I maybe found something:

 

To handle duplicate entries for a RADIUS client in FortiAuthenticator, you can differentiate between policies using specific RADIUS attribute criteria.

  1. Identify Policies: Ensure you have identified all the policies associated with the RADIUS client.
  2. Use RADIUS Attribute Criteria: Utilize specific RADIUS attribute criteria to distinguish between different policies. This can help in directing the authentication requests to the correct policy.
  3. Set Priorities: If applicable, set priorities for the policies to determine which policy should be matched first.
  4. Test Configuration: After configuring, test to ensure that the correct policy is being matched for the intended users.
Best Regards
    j0ma
    j0maAuthor
    New Member
    March 6, 2025

    Sounds like you are on to something, thanks for your reply.

     

    In the Attribute Criteria, I need to find something synonymous for the RADIUS- clients. I wanted to test with nas-identifier. Seems the string needs to match exactly, I could not find begins-with/ends-with or contains. Is this a limitation or could I use for example regular expressions?

    ebilcari
    Staff
    ebilcari
    Staff
    March 6, 2025

    I would suggest to follow the long path to avoid any faults, try to divide the super subnet /16 to smaller ones and leave the FGT subnet out of it. The shared secret matching for all the devices may also be an issue.

    If that is not doable, you can specify a different IP from the FGT to source its RADIUS requests. If all of the existing IPs of the FGT still fall under the subnet 10.10.0.0/16 you can also create a loopback as long as it's routed to FAC, more details can be found on this section of the guide.

    Emirjon
    j0ma
    j0maAuthor
    New Member
    June 2, 2025

    I solved this by alternating shared secrets.

     

    But I did not get an answer on my question regarding matched Radius attribute. Is it a limitation to match on exact string/integer or is it possible to use regexp (or similiar)?

    Markus_M
    Staff & Editor
    Markus_MAnswer
    Staff & Editor
    June 2, 2025

    You can only match to a substring with the given option if present ("Allow substring match").

    Regex or wildcards are not possible.

    Terms & ConditionsAccessibility statement