FortiGate steps:

1. Create a new admin profile (In this example, a read-only profile has been used).

Create the admin profile with the privileges needed.

Note: The name of this profile must be the exact name used in the FortiAuthenticator step 2 (creating group – RADIUS attributes).

2. Create a RADIUS Server:
   Create a RADIUS Server. In this case, FortiAuthenticator is acting as a RADIUS server.

   
   Note: Verify this with Step 1 on FortiAuthenticator.

    

   

    

    

3. This step should be completed after step 3 on FortiAuthenticator.

   Create a group on FortiGate that matches the remote server. Note that it is necessary to specify the remote server group name, which is the same name as the Group created on FortiAuthenticator.

    

   

    

    

4. Create a new admin user with a wild card enabled to match the group created FortiAuthenticator, so any user that is added to the FortiAuthenticatorgroup will be able to access the FortiGate with the privilege associated with the RADIUS attribute:

    

FortiAuthenticator Steps:

Assumption: LDAP server config already exists and remote users are imported to FortiAuthenticator.

1. Configure FortiGate client:

2. Configure user group (This is the basic step where RADIUS attributes are matched).

   The name of this group is the same used as a RADIUS attribute ‘Fortinet-Group-Name’.

   The ‘Fortinet-Access-Profile’ attribute must be exactly the same name as the admin profile created in the Step 1 FortiGate configuration.
   
   

   In this step, select users from LDAP who want to allow access to the FortiGate.

    

   

    

    

3. Configure RADIUS policies:

    

   

    

    

   

    

4. By default, the RADIUS service is not enabled in the interfaces. Therefore, go through the following path:
   System -> Network -> Interfaces, select the interface and enable the RADIUS service.

Related article:

Technical Tip: Remote admin login with Radius selecting admin access account profile