FortiAuthenticator provides access management and single sign on.
Article Id 197161


This article explains how to authenticate SSLVPN using Radius users, which is configured on FortiAuthenticator, which includes FortiAuthenticator configuration and FortiGate SSLVPN Configuration.


Radius users should authenticate from the SSLVPN client via FortiGate.



Network structure

Client ( <---> ( FortiGate <--> ( FortiAuthenticator.
FortiGate Internal interface IP:
FortiGate Internal External IP:
FortiAuthenticator IP:
LDAP IP address:

Expectations, Requirements


Below is an example of a remote LDAP server configuration on the FortiAuthenticator:

LDAP users need to be imported if they are to be assigned a 2FA method on the FortiAuthenticator:
Example User Group and Radius attribute configuration with the example attribute 'IT':
Note that the RADIUS attribute can be any string. It does not need to match the group name as in this example, as long as the RADIUS client has the same string in its group mapping.
Radius Client configuration on the FortiAuthenticator
The next steps in this article require FortiGate as a RADIUS Client with a matching RADIUS policy.
Make sure to configure the Filter under Identity Source to the group used for authentication. In this example, this will be the 'IT' group.
If there is no group added in the filter in the RADIUS policy, the RADIUS attributes will not be sent to the RADIUS client.
FortiGate configuration, starting with the Radius configuration
It is highly recommended to specify an authentication method when setting up a RADIUS connection on the FortiGate. If left to 'Auto', FortiGate will use PAP, MSCHAPv2, and CHAP (in that order), which may lead to failed authentication attempts on the RADIUS server.
FortiGate User Group configuration

Add the Fortinet-Group-Name RADIUS attribute string, as specified inside the FortiAuthenticator's user group setting:
Example SSLVPN configuration, binding the 'rad_grp' to one of the web portal:
Configuring Firewall policy

FortiGate CLI configuration example


The CLI configuration, similar to the GUI configuration, should look like this:


# config user radius
    edit "radius"
        set server ""
        set secret xxxxxxxxxxx

# config user group
    edit "rad_grp"
        set member "radius”

        config match
             edit 1
                set server-name "radius"
                set group-name "IT"

# config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1”
    set port 10433
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"

    config authentication-rule
        edit 1
           set groups "rad_grp"
           set portal "full-access"

# config firewall policy
    edit 1
        set name "vpn"
        set srcintf "ssl.root"
        set dstintf "port1"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "rad_grp"


To verify the connection, run the following debug commands on the FortiGate CLI and then authenticate to the VPN with the FortiClient.


# diag debug app fnbamd -1

# diag debug enable
[1932] handle_req-Rcvd auth req 7658205 for sslvpn1 in  opt=00200401 prot=11
[424] __compose_group_list_from_req-Group 'rad_grp', type 1
[617] fnbamd_pop3_start-sslvpn1
[569] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'radius' for usergroup 'rad_grp' (2)
[336] fnbamd_create_radius_socket-Opened radius socket 16
[336] fnbamd_create_radius_socket-Opened radius socket 17
[1372] fnbamd_radius_auth_send-Compose RADIUS request
[1332] fnbamd_rad_dns_cb->
[1310] __fnbamd_rad_send-Sent radius req to server 'radius': fd=16, IP= code=1 id=86 len=120 user="sslvpn1" using PAP
[313] radius_server_auth-Timer of rad 'radius' is added
[743] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1015] __fnbamd_cfg_get_ldap_list_by_group-
[1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 0
[481] ldap_start-Didn't find ldap servers
[591] create_auth_session-Total 1 server(s) to try
[1381] fnbamd_auth_handle_radius_result-Timer of rad 'radius' is deleted
[1772] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[320] extract_success_vsas-FORTINET attr, type 1, val IT
[1407] fnbamd_auth_handle_radius_result-->Result for radius svr 'radius' is 0
[1331] fnbamd_radius_group_match-Passed group matching
[1059] find_matched_usr_grps-Group 'rad_grp' passed group matching
[1060] find_matched_usr_grps-Add matched group 'rad_grp'(2)
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 7658205, len=2048
[747] destroy_auth_session-delete session 7658205 (deleting authentication session after success)
[2446] handle_req-Rcvd 7 req
[308] fnbamd_acct_start_START-Error getting radius server
[1469] create_acct_session-Error start acct type 7
[2460] handle_req-Error creating acct session 7


The FortiClient system tray should indicate the VPN has connected.
The SSLVPN Web portal will shows the following as a result:


Useful FNBAMD result codes in the fnbamd debug for troubleshooting:


0: Success
1: Deny
2: Challenged via RADIUS (password renewal or token is needed)
3: Timeout
4: Pending
5: Error
6: Framed IP Conflict
7: Token code is required (directly from FGT)
8: Need another token due to the previous one is out of sync
9: Response Buffer is too small
10: Authentication time out
11: Max Concurrent authentication sessions are reached
12: Token code is already used.


RADIUS codes (decimal) are assigned as follows:

        1       Access-Request
        2       Access-Accept
        3       Access-Reject
        4       Accounting-Request
        5       Accounting-Response
       11       Access-Challenge


Here it is also possible to see some usual (error) mschapv2 codes, than can be seen on the FortiAuthenticator side, under https://FAC_IP/debug/radius/: