Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mkirollos
Staff
Staff

Created on ‎05-29-2022 03:39 AM

Article Id 213224

Technical Tip : FortiAuthenticator unable to receive FortiGate RADIUS accounting messages

Description

This article describes the configuration required for FortiGate to send RADIUS accounting messages to FortiAuthenticator

 

In this scenario, FortiGate port9 with IP x.x.x.x is connected to FortiAuthenticator port2 with IP y.y.y.y
Scope FortiGate and FortiAuthenticator.
Solution

Section A: FortiGate Configuration

1)  FortiAuthenticator is configured as the RADIUS server, with correct IP address and password.

 

GUI configuration:

 

mkirollos_14-1653698902155.png

 

CLI configuration:

 

FortiGate#config user radius

FortiGate(radius) # edit FAC

FortiGate(FAC) #set server y.y.y.y

FortiGate(FAC) #set secret Fortinet

FortiGate(FAC) #set nas-ip x.x.x.x

FortiGate(FAC) #end

 

2) FortiAuthenticator is configured as the RADIUS accounting server from FortiGate CLI with the correct IP, secret password and port number is matching the port number of the ForitAuthenticator RADIUS Accounting monitor port as in FortiAuthenticator configuration step 3.

 

FortiGate# config user radius

FortiGate(radius) # edit FAC

FortiGate(FAC) # conf accounting-server

FortiGate(accounting-server) # edit 1

FortiGate(1) # set status enable

FortiGate(1) # set server y.y.y.y

FortiGate(1) # set secret ********

FortiGate(1) # set port 1646

FortiGate(1) # end

FortiGate(FAC) # end

 

Verify the config applied using the below command:

 

# show user radius

 

Section B: FortiAuthenticator Configuration.

 

1) FortiGate is a RADIUS Client with correct IP address, in this example x.x.x.x, secret password (will be used in FortiGate config step 2) and with 'Accept RADIUS accounting messages for usage enforcement' enabled.

 

mkirollos_15-1653698902160.png

 

2) Interface connected to FortiGate has RADIUS accounting monitor enabled, the interface with IP y.y.y.y.

 

mkirollos_16-1653698902173.png

 

 

3) Check and make note of the RADIUS Accounting monitor port number, default is port 1646, and use it to configure the FortiGate as per step 2 in FortiGate config section.

 

mkirollos_17-1653698902175.png

 

 

After configuring all the above, establish a test connection using a user authentication method like FortiClient SSL-VPN for example, after the connection is successful, the user radius accounting session will populate in FortiAuthenticator.

 

Note the authentication session must be valid and real time for the session to remain in the Active section.

 

mkirollos_18-1653698902178.png

 

To view previous sessions, select cumulative as shown below

 

mkirollos_19-1653698902182.png
1119
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.