Technical Tip: unable to use REST API to access RADIUS clients configuration with custom admin profile

GeorgeZhong · ‎10-16-2025

Description

This article describes a known issue in FortiAuthenticator where the RADIUS Client configuration cannot be retrieved through a REST API call when using an admin account with a custom admin profile.

Scope

FortiAuthenticator v6.6.5 and earlier, REST API.

Solution

Background:

FortiAuthenticator provides a Representational State Transfer (REST) API that allows administrators and applications to retrieve or modify system data over HTTP—the same protocol used by web browsers. The REST API is included at no additional cost or licensing.

The Detailed REST API Solution Guide can be found below: The FortiAuthenticator API

All of the resource URLs are in the form below. The current API version is v1. https://[server_name]/api/[api_version]/[resource]/

The URL for each resource can be found below: Resource Summary

FortiAuthenticator supports custom admin profiles that restrict configuration access to specific areas. Each REST API resource requires specific Permission Codes corresponding to its configuration object. Details regarding the custom admin profile and required Permission Code and Base URL for each resource name can be found below: Authorization and Permissions

As per the document, to access the RADIUS Client configuration, the API URL is: https://<FAC_FQDN>/api/v1/radiusclients/

The admin account must have read access to RADIUS Clients, which is included in the predefined RADIUS Services permission set.

Issue detail:

An administrator (apiadmin) was configured with a custom admin profile that included the RADIUS Services permission set.

However, REST API calls to retrieve the RADIUS Client configuration failed with an HTTP 401 Unauthorized error. This indicates access was denied despite having the correct permissions.

C:\Users\gzhong>curl -k -v -u "apiadmin:R1GVS85hOuw9XNO7bzovU6gsZNSEaihr3MueNZEV" https://10.56.241.223/api/v1/radiusclients/
* Trying 10.56.241.223:443...
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
* Connected to 10.56.241.223 (10.56.241.223) port 443
* using HTTP/1.x
* Server auth using Basic with user 'apiadmin'
> GET /api/v1/radiusclients/ HTTP/1.1
> Host: 10.56.241.223
> Authorization: Basic YXBpYWRtaW46UjFHVlM4NWhPdXc5WE5PN2J6b3ZVNmdzWk5TRWFpaHIzTXVlTlpFVg==
> User-Agent: curl/8.13.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 401 Unauthorized
< Date: Mon, 01 Sep 2025 12:48:00 GMT
< Content-Length: 0
< Content-Security-Policy: object-src 'none'; default-src 'self'; style-src 'self' 'unsafe-inline'; base-uri 'self'; script-src 'self'
< X-Frame-Options: SAMEORIGIN
< Vary: Accept-Language,Cookie
< Content-Language: en
< X-Content-Type-Options: nosniff
< Referrer-Policy: strict-origin-when-cross-origin
< Cross-Origin-Opener-Policy: same-origin
< Set-Cookie: device_id=040c5d6a-35e4-4e45-a3d9-728d2825a773; expires=Tue, 01 Sep 2026 12:48:00 GMT; HttpOnly; Max-Age=31536000; Path=/; SameSite=None; Secure
< Permissions-Policy: fullscreen=(self)
< Content-Type: text/html; charset=utf-8
<
* Connection 0 to host 10.56.241.223 left intact

Other API calls using the same credentials, for example, retrieving local users, succeeded without issue:

C:\Users\gzhong>curl -k -v -u "apiadmin:R1GVS85hOuw9XNO7bzovU6gsZNSEaihr3MueNZEV" https://10.56.241.223/api/v1/localusers/
* Trying 10.56.241.223:443...
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
* Connected to 10.56.241.223 (10.56.241.223) port 443
* using HTTP/1.x
* Server auth using Basic with user 'apiadmin'
> GET /api/v1/localusers/ HTTP/1.1
> Host: 10.56.241.223
> Authorization: Basic YXBpYWRtaW46UjFHVlM4NWhPdXc5WE5PN2J6b3ZVNmdzWk5TRWFpaHIzTXVlTlpFVg==
> User-Agent: curl/8.13.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Mon, 01 Sep 2025 12:46:17 GMT
< Content-Length: 2686
< Fac-Api-Version: 6.6.4-1767(GA) 20230123
< Vary: Accept,Accept-Language,Cookie,Accept-Encoding
< Cache-Control: no-cache
< Content-Security-Policy: object-src 'none'; default-src 'self'; style-src 'self' 'unsafe-inline'; base-uri 'self'; script-src 'self'
< X-Frame-Options: SAMEORIGIN
< Content-Language: en
< X-Content-Type-Options: nosniff
< Referrer-Policy: strict-origin-when-cross-origin
< Cross-Origin-Opener-Policy: same-origin
< Set-Cookie: device_id=95fe485b-40c3-4f30-b1d5-f7fde0919b5f; expires=Tue, 01 Sep 2026 12:46:17 GMT; HttpOnly; Max-Age=31536000; Path=/; SameSite=None; Secure
< Permissions-Policy: fullscreen=(self)
< Content-Type: application/json
<
{"meta": {"limit": 20, "next": null, "offset": 0, "previous": null, "total_count": 4}, "objects": [{"active": true, "address": "", "change_password": false, "city": "", "company": "", "country": "", "custom1": "", "custom2": "", "custom3": "", "department": "", "email": "", "expires_at": "", "fido": false, "first_name": "", "ftk_only": false, "ftm_act_method": "email", "id": 2, "is_locked": false, "last_name": "", "mail_host": "", "mail_routing_address": "", "mobile_number": "", "phone_number": "", "reason": null, "recovery_by_question": false, "resource_uri": "/api/v1/localusers/2/", "state": "", "token_auth": false, "token_fas": false, "token_serial": "", "token_type": "", "user_groups": [], "username": "ldapadmin"}, {"active": true, "address": "", "change_password": false, "city": "", "company": "", "country": "", "custom1": "", "custom2": "", "custom3": "", "department": "", "email": "test@gmail.com", "expires_at": "", "fido": false, "first_name": "", "ftk_only": false, "ftm_act_method": "email", "id": 4, "is_locked": false, "last_name": "", "mail_host": "", "mail_routing_address": "", "mobile_number": "", "phone_number": "", "reason": nu

When the same administrator was assigned the Full Permission profile, the RADIUS Client configuration could be retrieved successfully:

C:\Users\gzhong>curl -k -v -u "apiadmin:R1GVS85hOuw9XNO7bzovU6gsZNSEaihr3MueNZEV" https://10.56.241.223/api/v1/radiusclients/
* Trying 10.56.241.223:443...
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
* Connected to 10.56.241.223 (10.56.241.223) port 443
* using HTTP/1.x
* Server auth using Basic with user 'apiadmin'
> GET /api/v1/radiusclients/ HTTP/1.1
> Host: 10.56.241.223
> Authorization: Basic YXBpYWRtaW46UjFHVlM4NWhPdXc5WE5PN2J6b3ZVNmdzWk5TRWFpaHIzTXVlTlpFVg==
> User-Agent: curl/8.13.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Mon, 01 Sep 2025 12:52:19 GMT
< Content-Length: 1291
< Fac-Api-Version: 6.6.4-1767(GA) 20230123
< Vary: Accept,Accept-Language,Cookie,Accept-Encoding
< Cache-Control: no-cache
< Content-Security-Policy: style-src 'self' 'unsafe-inline'; script-src 'self'; base-uri 'self'; default-src 'self'; object-src 'none'
< X-Frame-Options: SAMEORIGIN
< Content-Language: en
< X-Content-Type-Options: nosniff
< Referrer-Policy: strict-origin-when-cross-origin
< Cross-Origin-Opener-Policy: same-origin
< Set-Cookie: device_id=4c364d8f-3221-434a-add9-f94e56b6f5b9; expires=Tue, 01 Sep 2026 12:52:19 GMT; HttpOnly; Max-Age=31536000; Path=/; SameSite=None; Secure
< Permissions-Policy: fullscreen=(self)
< Content-Type: application/json
<
{"meta": {"limit": 20, "next": null, "offset": 0, "previous": null, "total_count": 5}, "objects": [{"accounting_usage": false, "address": "10.56.240.221", "disconnect": false, "include_acct_session_id": false, "name": "2B", "policies": [], "require_message_authenticator": false, "resource_uri": "/api/v1/radiusclients/6/"}, {"accounting_usage": false, "address": "10.56.242.202", "disconnect": false, "include_acct_session_id": false, "name": "FGT", "policies": [], "require_message_authenticator": true, "resource_uri": "/api/v1/radiusclients/1/"}, {"accounting_usage": false, "address": "192.168.92.34", "disconnect": false, "include_acct_session_id": false, "name": "LabFWF", "policies": [], "require_message_authenticator": true, "resource_uri": "/api/v1/radiusclients/4/"}, {"accounting_usage": false, "address": "10.56.241.134", "disconnect": false, "include_acct_session_id": false, "name": "KVM06", "policies": ["/api/v1/radiuspolicies/14/"], "require_message_authenticator": false, "resource_uri": "/api/v1/radiusclients/7/"}, {"accounting_usage": true, "address": "10.56.245.12", "disconnect": false, "include_acct_session_id": false, "name": "site1", "policies": ["/api/v1/radiuspolicies/14/"], "require_message_authenticator": true, "resource_uri": "/api/v1/radiusclients/8/"}]}* Connection 0 to host 10.56.241.223 left intact

This indicates the REST API incorrectly enforces access restrictions for the RADIUS Client resource when using custom admin profiles, even when the relevant permissions are granted.

Resolution:

This issue has been acknowledged by Fortinet Engineering under Bug ID: 1198196. It will be resolved in FortiAuthenticator v6.6.7, where RADIUS Client configuration retrieval will function correctly for admin accounts with Read-Only access to RADIUS Services.

As a workaround in FortiAuthenticator v6.6.6 and lower versions, it is suggested to use an admin account with Full Permission to perform RADIUS Client REST API queries.

Technical Tip: unable to use REST API to access RADIUS clients configuration with custom admin profile

You are leaving our website