Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
matanaskovic
Staff
Staff

Created on ‎07-18-2019 06:29 AM Edited on ‎04-07-2025 06:57 AM By Moderator

Article Id 197161

Technical Tip: RADIUS authentication with FortiAuthenticator

Description


This article explains how to authenticate SSL VPN using RADIUS users, which is configured on FortiAuthenticator, which includes FortiAuthenticator configuration and FortiGate SSL VPN Configuration.

Scope


Radius users should authenticate from the SSL VPN client via FortiGate.

Solution

 

Network structure.


Client (10.0.0.99) <---> (10.0.0.254) FortiGate <--> (10.0.0.1) FortiAuthenticator.
FortiGate Internal interface IP: 10.0.0.254.
FortiGate Internal External IP: 10.5.21.14.
FortiAuthenticator IP: 10.0.0.1.
SSLVPN Client IP: 10.0.0.99.
LDAP IP address: 10.0.0.100.

Expectations, Requirements.

 

Below is an example of a remote LDAP server configuration on the FortiAuthenticator:

 
 
LDAP users need to be imported if being assigned a 2FA method on the FortiAuthenticator:
 
 
Example User Group and Radius attribute configuration with the example attribute 'IT':
 
 
Note that the RADIUS attribute can be any string. It does not need to match the group name as in this example, as long as the RADIUS client has the same string in its group mapping.
 
Radius Client configuration on the FortiAuthenticator.
 
The next steps in this article require FortiGate as a RADIUS Client with a matching RADIUS policy.
Make sure to configure the Filter under Identity Source to the group used for authentication. In this example, this will be the 'IT' group.
If there is no group added in the filter in the RADIUS policy, the RADIUS attributes will not be sent to the RADIUS client.
 
 
 
 
 
 

Note: If there is a mobile FortiToken assigned to a dedicated user and there is a need to receive push notifications, then there is a need to enable the 'Allow FortiToken Mobile push notification" option under "All configured password and OTP factors'.
 
Screenshot 2025-04-07 122951.png

 

 
FortiGate configuration, starting with the Radius configuration.
 
 
It is highly recommended to specify an authentication method when setting up a RADIUS connection on the FortiGate. If left to 'Auto', FortiGate will use PAP, MSCHAPv2, and CHAP (in that order), which may lead to failed authentication attempts on the RADIUS server.
 
FortiGate User Group configuration.
Add the Fortinet-Group-Name RADIUS attribute string, as specified inside the FortiAuthenticator's user group setting:
 
 
 
Example SSL VPN configuration, binding the 'rad_grp' to one of the web portals:
 
 
 
Configuring Firewall policy.
 
 


FortiGate CLI configuration example.

 

The CLI configuration, similar to the GUI configuration, should look like this:

 

config user radius
    edit "radius"
        set server "10.0.0.1"
        set secret xxxxxxxxxxx
    next
end

config user group
    edit "rad_grp"
        set member "radius”

            config match
                edit 1
                    set server-name "radius"
                    set group-name "IT"
                next
end

config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1”
    set port 10433
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"

        config authentication-rule
            edit 1
                set groups "rad_grp"
                set portal "full-access"
            next
end

config firewall policy
    edit 1
        set name "vpn"
        set srcintf "ssl.root"
        set dstintf "port1"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "rad_grp"
    next
end


Verification.


To verify the connection, run the following debug commands on the FortiGate CLI and then authenticate to the VPN with the FortiClient.

 

diagnose debug app fnbamd -1

diagnose debug enable
[1932] handle_req-Rcvd auth req 7658205 for sslvpn1 in  opt=00200401 prot=11
[424] __compose_group_list_from_req-Group 'rad_grp', type 1
[617] fnbamd_pop3_start-sslvpn1
[569] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'radius' for usergroup 'rad_grp' (2)
[336] fnbamd_create_radius_socket-Opened radius socket 16
[336] fnbamd_create_radius_socket-Opened radius socket 17
[1372] fnbamd_radius_auth_send-Compose RADIUS request
[1332] fnbamd_rad_dns_cb-10.0.0.1->10.0.0.1
[1310] __fnbamd_rad_send-Sent radius req to server 'radius': fd=16, IP=10.0.0.1(10.0.0.1:1812) code=1 id=86 len=120 user="sslvpn1" using PAP
[313] radius_server_auth-Timer of rad 'radius' is added
[743] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1015] __fnbamd_cfg_get_ldap_list_by_group-
[1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 0
[481] ldap_start-Didn't find ldap servers
[591] create_auth_session-Total 1 server(s) to try
[1381] fnbamd_auth_handle_radius_result-Timer of rad 'radius' is deleted
[1772] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[320] extract_success_vsas-FORTINET attr, type 1, val IT
[1407] fnbamd_auth_handle_radius_result-->Result for radius svr 'radius' 10.0.0.1(1) is 0
[1331] fnbamd_radius_group_match-Passed group matching
[1059] find_matched_usr_grps-Group 'rad_grp' passed group matching
[1060] find_matched_usr_grps-Add matched group 'rad_grp'(2)
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 7658205, len=2048
[747] destroy_auth_session-delete session 7658205 (deleting authentication session after success)
[2446] handle_req-Rcvd 7 req
[308] fnbamd_acct_start_START-Error getting radius server
[1469] create_acct_session-Error start acct type 7
[2460] handle_req-Error creating acct session 7

 

The FortiClient system tray should indicate that the VPN has connected.
The SSLVPN Web portal will show the following as a result:

 

Useful FNBAMD result codes in the fnbamd debug for troubleshooting:

 

0: Success
1: Deny
2: Challenged via RADIUS (password renewal or token is needed)
3: Timeout
4: Pending
5: Error
6: Framed IP Conflict
7: Token code is required (directly from FGT)
8: Need another token due to the previous one is out of sync
9: Response Buffer is too small
10: Authentication time out
11: Max Concurrent authentication sessions are reached
12: Token code is already used.

 

RADIUS codes (decimal) are assigned as follows:

 

        1       Access-Request
        2       Access-Accept
        3       Access-Reject
        4       Accounting-Request
        5       Accounting-Response
       11       Access-Challenge

 

Here, it is also possible to see some usual (error) mschapv2 codes that can be seen on the FortiAuthenticator side, under https://FAC_IP/debug/radius/:

 

646 ERROR_RESTRICTED_LOGON_HOURS
647 ERROR_ACCT_DISABLED
648 ERROR_PASSWD_EXPIRED
649 ERROR_NO_DIALIN_PERMISSION
691 ERROR_AUTHENTICATION_FAILURE
709 ERROR_CHANGING_PASSWORD

21569
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.