Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dbhavsar
Staff
Staff

Created on ‎08-24-2023 06:57 AM

Article Id 270228

Technical Tip: Configuring RADIUS through a VIP that is behind the VLAN

Description

This article describes how to use RADIUS authentication from external resources that are behind the FortiGate VLAN.

 

RADIUS-network-topology.jpg
Scope FortiGate v6 and above.
Solution
  • Below is an example showing an external AP requesting RADIUS authentication from behind the FortiGate. Here, it is not necessary to configure the RADIUS server on the FortiGate itself.
  • However, it is necessary to create the virtual IP on the FortiGate that forwards the RADIUS requests to the server.
  • Set up the following configuration to create a virtual IP on the FortiGate:


RADIUS-VIP.jpg

Below is the policy that must be created on FortiGate that will allow the RADIUS traffic:


RADIUS-Policy.jpg


Furthermore, configure the RADIUS client on the RADIUS server. The client IP will be the VLAN IP address.
Navigate to Server Manager -> Tools -> Network Policy Server -> Radius Client, then right-click and create a radius client. Here, 192.168.100.254 is the VLAN's interface IP address.


RADIUS-client.jpg
NOTE: Using 'ALL' as a source in the policy is not best practice. If a known external IP is available, use it instead.
458
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.