Additional configurations are required when setting up RADIUS Policies on FortiAuthenticator-Cloud. Configuring RADIUS Policies for FortiAuthenticator-Cloud requires the use of additional RADIUS attribute criteria to differentiate RADIUS traffic and apply specific policies as needed. The RADIUS Client cannot be used as a reliable criterion for policy matching, as it is preconfigured with an ANY (0.0.0.0-255.255.255.255) address-list, as explained earlier.

In this case, it is necessary to define alternative criteria, such as NAS-IP-Address (which relies on the RADIUS Client) or Framed-IP-Address (which relies on the user).

In the following example, one FortiGate firewall is connected to FortiAuthenticator-Cloud. It is required that this client matches a specific RADIUS Policy named Test-Policy.

config user radius

    edit "FortiTrust-ID"

        set server "e98au1c4.fortitrustid.forticloud.com"

        set secret ENC….

        set nas-ip 10.10.100.100   <--- NAS IP is predefined.

        set radius-port 2083

        set transport-protocol tls

        set tls-min-proto-version TLSv1-3

        set ca-cert "CA_Cert_6"

    next

From FortiAuthenticator-Cloud, a RADIUS Policy is configured using NAS-IP-Address (10.10.100.100) as the RADIUS attribute criteria. All other parameters of the policy remain as usual:

Policy should look like this:

Testing and Debug-Logs:

2025-06-03T05:38:04.110412-07:00 FortiAuthenticator radiusd[21180]: Waking up in 29.3 seconds.

2025-06-03T05:38:04.303469-07:00 FortiAuthenticator radiusd[21180]: (0) (TLS): Access-Request packet from host 10.103.192.165 port 50506, id=35, length=145

2025-06-03T05:38:04.303643-07:00 FortiAuthenticator radiusd[21180]: Waking up in 0.3 seconds.

2025-06-03T05:38:04.303826-07:00 FortiAuthenticator radiusd[21180]: (7) Received Access-Request Id 35 from 10.103.192.165:50506 to 0.0.0.0:2083 length 145

2025-06-03T05:38:04.303840-07:00 FortiAuthenticator radiusd[21180]: (7) User-Password = <<< secret >>>

2025-06-03T05:38:04.303851-07:00 FortiAuthenticator radiusd[21180]: (7) User-Name = "testuser" <-- User Tested

2025-06-03T05:38:04.303855-07:00 FortiAuthenticator radiusd[21180]: (7) NAS-Identifier = "FW-ORIFW"

2025-06-03T05:38:04.303860-07:00 FortiAuthenticator radiusd[21180]: (7) Framed-IP-Address = 0.0.0.0

2025-06-03T05:38:04.303864-07:00 FortiAuthenticator radiusd[21180]: (7) NAS-IP-Address = 10.10.100.100 <-- Traffic coming from this NAS IP Address

2025-06-03T05:38:04.303875-07:00 FortiAuthenticator radiusd[21180]: (7) NAS-Port-Type = Virtual

2025-06-03T05:38:04.303878-07:00 FortiAuthenticator radiusd[21180]: (7) Called-Station-Id = "10.10.100.100"

2025-06-03T05:38:04.303882-07:00 FortiAuthenticator radiusd[21180]: (7) Acct-Session-Id = "00000f220ecab001"

2025-06-03T05:38:04.303886-07:00 FortiAuthenticator radiusd[21180]: (7) Connect-Info = "test"

2025-06-03T05:38:04.303889-07:00 FortiAuthenticator radiusd[21180]: (7) Fortinet-Vdom-Name = "root"

2025-06-03T05:38:04.304018-07:00 FortiAuthenticator radiusd[21180]: (7) Message-Authenticator = 0x786edd08cb0e6da6eff5aad06739c485

2025-06-03T05:38:04.304064-07:00 FortiAuthenticator radiusd[21180]: (7) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default

2025-06-03T05:38:04.304197-07:00 FortiAuthenticator radiusd[21180]: (7) facauth: ===>NAS IP:10.103.192.165

2025-06-03T05:38:04.304207-07:00 FortiAuthenticator radiusd[21180]: (7) facauth: ===>Username:testuser

2025-06-03T05:38:04.304216-07:00 FortiAuthenticator radiusd[21180]: (7) facauth: WARNING: client 10.103.192.165, id=35, cannot get request arrival time.

2025-06-03T05:38:04.304858-07:00 FortiAuthenticator radiusd[21180]: (7) facauth: Found authclient from preloaded authclients list for 10.103.192.165: FortiGate (0.0.0.0~255.255.255.255)    <--- Auth Client is checked against (0.0.0.0~255.255.255.255) list, as Source Radius Client IP address can be different.

2025-06-03T05:38:04.305763-07:00 FortiAuthenticator radiusd[21180]: (7) facauth: Found vendor 0, attr 4 --> "10.10.100.100" <-- Radius Attribute Matched

2025-06-03T05:38:04.305774-07:00 FortiAuthenticator radiusd[21180]: (7) facauth: Found authpolicy 'Test-Policy' for client '0.0.0.0~255.255.255.255'  <---- AuthPolicy Found

2025-06-03T05:38:04.305882-07:00 FortiAuthenticator radiusd[21180]: (7) facauth: Client type: external (subtype: radius)

2025-06-03T05:38:04.305891-07:00 FortiAuthenticator radiusd[21180]: (7) facauth: Input raw_username: testuser Realm: (null) username: testuser

2025-06-03T05:38:04.305895-07:00 FortiAuthenticator radiusd[21180]: (7) facauth: Searching default realm as well

2025-06-03T05:38:04.305901-07:00 FortiAuthenticator radiusd[21180]: (7) facauth: Realm not specified, default goes to FAC local user

2025-06-03T05:38:04.637642-07:00 FortiAuthenticator radiusd[21180]: Waking up in 0.4 seconds.

2025-06-03T05:38:04.668259-07:00 FortiAuthenticator radiusd[21180]: (7) facauth: Local user found: testuser

2025-06-03T05:38:04.668277-07:00 FortiAuthenticator radiusd[21180]: (7) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]

..................

2025-06-03T05:38:13.578246-07:00 FortiAuthenticator radiusd[21180]: (8) Sent Access-Accept Id 36 from 0.0.0.0:2083 to 10.103.192.165:50506 length 38    <-- User Logged in

2025-06-03T05:38:13.578252-07:00 FortiAuthenticator radiusd[21180]: (8) Message-Authenticator := 0x00

2025-06-03T05:38:13.731895-07:00 FortiAuthenticator radiusd[21180]: Waking up in 0.3 seconds.

2025-06-03T05:38:13.731907-07:00 FortiAuthenticator radiusd[21180]: (TLS) Closing socket from client port 50506

For configuring RADIUS between FortiGate and FortiAuthenticator-Cloud, refer to the Knowledge Base article below:

Technical Tip: Configuration of FortiAuthenticator Cloud (FortiTrust Identity) as RADIUS server with...