Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
matanaskovic
Staff
Staff

Created on ‎02-16-2015 10:17 AM Edited on ‎08-08-2025 08:59 AM By Moderator

Article Id 192308

Technical Tip: Remote admin login with RADIUS selecting admin access account profile

Description This article describes how to create an admin profile and have the radius server select the appropriate profile for a RADIUS user.
Scope FortiGate, FortiAuthenticator.
Solution
  1. Configure the FortiGate with the RADIUS server.

Go to User & Authentication -> Radius Server.

 

Name: FGT-Radius
Primary Server IP/Name: 10.10.10.10
Primary Server Secret: radius_secret

 

Or run the equivalent in the CLI:

 

config user radius
    edit "FGT-Radius"
        set server 10.10.10.10
        set secret radius_secret
    next
end

 

d01.png

 

Note:

The source IP address can optionally be set for the FortiGate to use when contacting the Radius server by using the following commands:

 

config user radius
    edit "FGT-Radius"
        set source-ip 192.168.1.99
    next
end

 

 

  1. Configure the RADIUS server to send the appropriate vendor-specific attributes (VSAs).
Verify that the RADIUS server is configured to send down the appropriate vendor-specific attributes (VSA). 

 

In order to send an appropriate group membership and access profile, the following attributes will need to be set.

 

  • Vendor: Fortinet
  • Attribute ID: Fortinet-Access-Profile 
  • Attribute ID: Fortinet-Group-Name 

 

A list of all of Fortinet's VSA is available here.

 

02.png

 

03.png

 

3. Create a user group on FortiGate.

 

Go to User & Authentication -> User Groups and create a Firewall group. 

Create New Remote Server and add the RADIUS server. 

In the group's field, include the string 'Firewall_Admins'.

  • Name: Radius_group.
  • Remote Server: FGT-Radius.
  • Groups: Firewall_Admins.

 

04.png

 

05.png

 

4. Create two admin profiles.

 

Go to System -> Admin Profiles and create 2 profiles:
First profile:

  • Profile Name: no_access.
  • Access Control: None.

 06.png

 

Second Profile:

  • Profile Name: Radius_User_Access (note that the name of the profile needs to match which is specified in the RADIUS Attribute ID of the remote user on FortiAuthenticator).
  • Access Control: Specify the desired permissions.

 

07.png

 

5. Create an admin user.

  • Go to System -> Administrators.
  • Create a new admin with the type 'Match all users in a remote server group'.
  • Select the Remote User Group.
  • Select the 'no_access' profile.

 

08.png

 

Then, run the following command in the CLI to allow the profile passed down by the RADIUS server to override the current 'no_access' profile:

 

config system admin
   edit "Radius_Admins"
       set remote-auth enable
       set accprofile "no_access"
       set vdom "root"
       set wildcard enable
       set remote-group "Radius_Group"
       set accprofile-override enable
   next
end

 

  1. Log into FortiGate using the new RADIUS user.

     

    cchiriches_7-1690727405841.png

     

    cchiriches_8-1690727405841.png

     

  2. Troubleshooting steps if this does not work as expected:

     

 

If appropriate permissions are not received, run the following commands in the CLI:

 

diag debug app fnbamd -1
diag debug app radius -1
diag debug enable
diag test authserver radius <server_name> <chap | pap | mschap | mschap2> <username> <password>


A successful output will appear as follows:

 

[1932] handle_req-Rcvd auth req 7658224 for radius_admins in Radius_group opt=00014001 prot=11
[424] __compose_group_list_from_req-Group 'Radius_group', type 1
[617] fnbamd_pop3_start-radius_admins
[336] fnbamd_create_radius_socket-Opened radius socket 16
[336] fnbamd_create_radius_socket-Opened radius socket 17
[1372] fnbamd_radius_auth_send-Compose RADIUS request
[1332] fnbamd_rad_dns_cb-10.0.0.1->10.0.0.1
[1310] __fnbamd_rad_send-Sent radius req to server 'FGT-Radius': fd=16, IP=10.0.0.1(10.0.0.1:1812) code=1 id=113 len=125 user="radius_admins" using PAP
[313] radius_server_auth-Timer of rad 'FGT-Radius' is added
[743] auth_tac_plus_start-Didn't find tac_plus servers (0)
[481] ldap_start-Didn't find ldap servers
[591] create_auth_session-Total 1 server(s) to try
[1381] fnbamd_auth_handle_radius_result-Timer of rad 'FGT-Radius' is deleted
[1772] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[354] extract_success_vsas-FORTINET attr, type 6, val Radius_User_Access
[320] extract_success_vsas-FORTINET attr, type 1, val Firewall_Admins
[1407] fnbamd_auth_handle_radius_result-->Result for radius svr 'FGT-Radius' 10.0.0.1(1) is 0
[1331] fnbamd_radius_group_match-Passed group matching
[1059] find_matched_usr_grps-Group 'Radius_group' passed group matching
[1060] find_matched_usr_grps-Add matched group 'Radius_group'(10)
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 7658224, len=2061
[747] destroy_auth_session-delete session 7658224
[2446] handle_req-Rcvd 7 req
[308] fnbamd_acct_start_START-Error getting radius server
[1469] create_acct_session-Error start acct type 7
[2460] handle_req-Error creating acct session 7

diag test authserver radius FGT-Radius pap radius_admins P@ssword123

authenticate 'radius_admins' against 'pap' succeeded, server=primary assigned_rad_session_id=7658226 assigned_admin_profile=Radius_User_Access session_timeout=0 secs idle_timeout=0 secs!
Group membership(s) - Firewall_Admins

Related articles:

Technical Tip: Fortinet RADIUS attribute.

Technical Tip: FortiGate Radius VSA Dictionary (vendor-specific attributes).
94436
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.