Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Mohammed_Feroz
Staff
Staff

Created on ‎02-21-2025 02:08 AM Edited on ‎03-24-2025 09:26 AM By Moderator

Article Id 378054

Technical Tip: How to match the right radius policy when multiple policy is configured for the same Radius client

Description This article explains how FortiAuthenticator RADIUS attribute criteria in a RADIUS policy can help in matching the right policy. 
Scope FortiAuthenticator v6.X.
Solution

In the below example, FortiGate is used as a Radius client. With the below set of policies:

  1. Policy for Firewall Admin login.
  2. Policy for Firewall IPsec VPN connection. 

 

facradiuspolicynoat.png

 

Without adding RADIUS attribute criteria, all connections are expected to match the first policy since there is no specific condition to leave the first rule and move on to the second one.

The RADIUS Attribute matching criterion can be set to match anything in the first Access-Request, so either the debug logs as below (at https:// fac-ip/debug/ ), or a packet capture on RADIUS can show which attributes are sent by the RADIUS client.

 

By adding a specific RADIUS attribute admin login can be processed on rule 1 and IPsec VPN can be processed on rule 2.

 

 facradiuspolicy.png

 

Note:

The following debug log output only shows the key elements that are addressed in the provided example, here the Attribute 'Connect-Info' is used to match the policy, but it can be any other of the listed Attributes. NAS-Identifier could be another common case.

 

RADIUS Debug logs when an admin login connection is made:

 
FAC radiusd[3229]: (23) Received Access-Request Id 34 from 192.168.48.1:3669 to 192.168.48.38:1812 length 147
FAC radiusd[3229]: (23) User-Password = <<< secret >>>
FAC radiusd[3229]: (23) User-Name = "tac.user4"
FAC radiusd[3229]: (23) NAS-Identifier = "XXXXX"
FAC radiusd[3229]: (23) Framed-IP-Address = XXXXXX
FAC radiusd[3229]: (23) NAS-Port-Type = Virtual
FAC radiusd[3229]: (23) Calling-Station-Id = "XXXXX"
FAC radiusd[3229]: (23) Acct-Session-Id = "0000155e04616001"
FAC radiusd[3229]: (23) Connect-Info = "admin-login"
FAC radiusd[3229]: (23) facauth: Found vendor 0, attr 77 <----- 'admin-login'.
FAC radiusd[3229]: (23) facauth: Found authpolicy 'Admin' for client '192.168.48.1'

RADIUS Debug logs when an IPsec connection is made:

 

FAC radiusd[3229]: (30) Received Access-Request Id 41 from 192.168.48.1:1140 to 192.168.48.38:1812 length 150
FAC radiusd[3229]: (30) User-Password = <<< secret >>>
FAC radiusd[3229]: (30) User-Name = "tac.user4"
FAC radiusd[3229]: (30) NAS-Identifier = "XXXXX"
FAC radiusd[3229]: (30) Framed-IP-Address = XXXXX
FAC radiusd[3229]: (30) NAS-Port = 3
FAC radiusd[3229]: (30) NAS-Port-Type = Virtual
FAC radiusd[3229]: (30) Calling-Station-Id = "XXXXX"
FAC radiusd[3229]: (30) Acct-Session-Id = "0000010f04bbb001"
FAC radiusd[3229]: (30) Connect-Info = "vpn-ipsec"
FAC radiusd[3229]: (30) facauth: Found vendor 0, attr 77 <----- 'vpn-ipsec'.
FAC radiusd[3229]: (30) facauth: Found authpolicy 'Ipsec' for client '192.168.48.1'
635
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.