Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
markwarner
Staff
Staff

Created on ‎10-10-2016 06:19 AM Edited on ‎10-16-2025 07:10 AM By Moderator

Article Id 197257

Technical Tip: RADIUS attributes sent to the server by the FortiGate as a RADIUS client

Description

 
This article describes the variables sent by the FortiGate for customization of server-side NPS policy or RADIUS server. 


Scope

 
FortiGate, FortiAuthenticator.


Solution

 
SSL VPN RADIUS authentication request to NPS server:

NAS-Identifier(32): FortiGate_48
User-Name(1): fortinet
Vendor-Specific(26) v=Microsoft(311)
Vendor-Specific(26) v=Microsoft(311)
NAS-Port(5): 1
NAS-Port-Type(61): Virtual(5)
Calling-Station-Id(31): 192.168.196.97
Acct-Session-Id(44): 522001f9
Connect-Info(77): vpn-ssl
Vendor-Specific(26) v=Fortinet, Inc.(12356)
 
SSL VPN RADIUS authentication request to FortiAuthenticator as a RADIUS server: 
 
FortiAuthenticator radiusd[6616]: (1) EAP-Message = 0x02e80007031a06
FortiAuthenticator radiusd[6616]: (1) User-Name = "test.user"
FortiAuthenticator radiusd[6616]: (1) State = 0x1804ed2518ecf474bd315e15fb39e09b
FortiAuthenticator radiusd[6616]: (1) NAS-Identifier = "AHLVPNHA"
FortiAuthenticator radiusd[6616]: (1) Framed-IP-Address = 200.100.100.9
FortiAuthenticator radiusd[6616]: (1) NAS-Port = 2
FortiAuthenticator radiusd[6616]: (1) NAS-Port-Type = Virtual
FortiAuthenticator radiusd[6616]: (1) Calling-Station-Id = "200.100.100.9"
FortiAuthenticator radiusd[6616]: (1) Acct-Session-Id = "000006bf0018e00d"
FortiAuthenticator radiusd[6616]: (1) Connect-Info = "vpn-ssl"

802.11 RADIUS authentication request:

User-Name(1): fortinet
NAS-IP-Address(4): 0.0.0.0
NAS-Identifier(32): 10.156.0.57/5246-RADIUS_WiFi
Called-Station-Id(30): 12-09-0F-76-26-18:RADIUS_WiFi
NAS-Port-Type(61): Wireless-802.11(19)
NAS-Port(5): 0    
Calling-Station-Id(31): 90-E7-C4-32-D3-D6
Connect-Info(77): CONNECT 0Mbps 802.11b
Acct-Session-Id(44): 5790EF44-00000CBC
Framed-MTU(12): 1400
EAP-Message(79) Last Segment[1]
State(24): 5e8407b40000013700011700fe8000000000000070bea14d...
Message-Authenticator(80): 7e1c5fba1b251ca7dcd9800f5d109eb7
 
Therefore, when configuring an NPS server or RADIUS server to accept connections from the FortiGate, the following attributes can be used to restrict access:

Calling Station ID.
User Name.
NAS Identifier.
NAS IPv4 Address.
NAS IPv6 Address.
NAS Port Type.
Connect-Info.

To find out the values sent to the server, run a sniffer on RADIUS port 1812 in FortiGate. For example:

diagnose sniffer packet any 'port 1812' 6 0 a
 
This may be converted to a Wireshark capture and analyzed to read the RADIUS attributes: Technical Tip: How to import 'diagnose sniffer packet' data to WireShark.
Alternatively, a capture may be taken under Network > Diagnostics on the FortiGate or on the RADIUS server.
To troubleshoot rejected connections by a Windows server, check the event log under 'Network Policy and Access Services'.
 
For troubleshooting rejected connections on a FortiAuthenticator, review the RADIUS logs from https://<Fortiauthenticator ip or fqdn>/debug -> Radius -> Authentication.
Additionally, a packet capture can be taken on FortiAuthenticator as well: Technical Tip: How to run a Packet Capture with FortiAuthenticator

Related documents:
SSL VPN with RADIUS Authentication
802.11.pcap
SSL VPN.pcap
Labels:
11019
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.