FortiGate can use a RADIUS Server as an external authentication server. FortiAuthenticator can be used as a RADIUS Server and authenticate users for FortiGate logins (VPN connections admin logins, ZTNA etc...).

In some cases, it is necessary to restrict specific RADIUS logins depending on the login type (IPsec, SSLVPN, admin login, ZTNA login)

When a FortiGate generates an Access-Request packet, it will add 'Connect Info' attribute to the packet. 

The examples below show the difference between a SSL VPN Access-Request and an IPsec Access-Request.

When the FortiGate receives a RADIUS login for an IPsec connection, it will generate a RADIUS Access-Request packet with the following Attribute:

Connect-Info: vpn-ikev2

When the FortiGate generates an Access-Request for an SSL VPN RADIUS login, it uses the following Connect-Info Attribute:

Connect-Info: vpn-ssl


The 'Connect-Info' information can be used on the FortiAuthenticator RADIUS policy to restrict logins based on the desired attribute.

The example below will allow IPsec logins, but block SSL VPN logins based on the 'Connect-Info' attribute.

FortiAuthenticator GUI -> Authentication -> RADIUS Service -> Policies -> Select the desired RADIUS Policy.


Select Next and enable the following option: 'RADIUS Authentication Request must contain specific attributes.'

From here, select 'Add Matching RADIUS Attribute'.
Ensure that the vendor is configured as 'Default' and change the value to 'vpn-ikev2'.


Attempt an SSL VPN login with the desired RADIUS user and confirm that the Authentication fails due to the connect-info attribute not matching the RADIUS policy.


FortiAuthenticator debug logs can be found at https://<FortiAuthenticator-IP>/debug.

Attempt an IPsec login with the desired RADIUS user and confirm that the authentication succeeds.