Skip to main content
Adam_Rimsky
Staff
Adam_Rimsky
Staff
December 7, 2022
Question

FortiNAC - internal Radius server attributes how to

  • December 7, 2022
  • 2 replies
  • 2133 views

Hello.

 

I am playing with the Radius attribute setup in FortiNAC (9.4.1) and probably missing logic behind these settings.

What I would like to achieve is a solution that FortiNAC returns to the switch a specific value of Service-Type attribute when the admin user do login to the CLI of the switch.

FortiNAC internal Radius works for this type of authentication for example with the FortiSwitch. But FSW does not need to get in the Accept message any specific attribute.

I have created a new attribute in the Radius config and assigned this attribute to the switch as its default Radius attribute but in the pcap I do not see any attribute to be sent back to the test switch in the accept message. 

Could you please help me to figure out what is the correct way how to configure the new Radius attribute? FAC or MS NPS works with authentication realms that contain some kind of conditions to be used and action that should be taken. Is this anyhow similar to attribute creation in FortiNAC and how exactly works parameter %ACCESS_VALUE%? Thank you very much.

2 replies

A
Anonymous_User
New Contributor III
December 8, 2022

Hello Adam

The way i see it is :

1-Copy the RFC VLAN attribute

2-Edit that one , and give it another name For exmaple TestAttrbGrp

3-In the attribute editor window from the left side pick the Service type attribute and add it to the right side with RFC vlan , Fill its value with the one you need

4-Apply this TestAttrbGrp to the model configuration tab in the attribute group drop down menu

Adam_Rimsky
Staff
Adam_RimskyAuthor
Staff
December 8, 2022

Hello Edvin,

thank you for your answer.

The approach you described is valid. The root cost of my issue with no attribute to be sent back to the client seems to be the fact that the FNAC Radius server requires to get NAS-Identifier and Calling-Station-Id attributes in the Radius request to send any attribute back to the Radius client. When those attributes are received all works fine.

Terms & ConditionsAccessibility statement