Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff & Editor
Staff & Editor

Created on ‎11-24-2025 08:25 AM

Article Id 420244

Technical Tip: Understanding the 'connect-info' attribute in RADIUS requests

Description

 

This article explains how to understand the 'connect-info' attribute that FortiGate includes in RADIUS Access-Request messages it sends to RADIUS servers.

 

Scope

 

FortiGate, FortiProxy.

 

Solution

 

FortiGate (and FortiProxy) can use the RADIUS protocol to authenticate users or administrators under various circumstances. When sending an authentication request to a RADIUS server (Access-Request message), FortiGate includes an attribute 'connect-info' in the request that provides information on the source of the authentication request.

The 'connect-info' attribute is a default RADIUS attribute, but has no defined value and is used differently by different vendors.

 

The 'connect-info' attribute can have these values when sent by FortiGate/FortiProxy:

 

test FortiGate sends the RADIUS Access-Request as part of a test, either in GUI (Test Connectivity/Credentials) or in CLI (diagnose test authserver radius [...])
vpn-ssl FortiGate tries to authenticate an SSL-VPN user
vpn-ipsec FortiGate tries to authenticate a user connecting to an IPSec IKEv1 tunnel
vpn-ikev2 FortiGate tries to authenticate a user connecting to an IPSec IKEv2 tunnel
admin-login FortiGate tries to authenticate an administrator
web-auth FortiGate tries to authenticate a user on a portal it hosts (captive portal, proxy authentication, forward policy authentication)
CONNECT <bandwidth> <protocol> Wi-Fi/Ethernet/802.1x-related authentication

 

An example of attributes in a test login produced with FortiGate CLI command 'diagnose test authserver radius [...]', captured on FortiAuthenticator CLI with tcpdump:

 

image.png

 

Related articles:

Technical Tip: Restricting RADIUS connections based on the 'Connect Info' attribute on FortiGate and...
Technical Tip: How to match the right radius policy when multiple policy is configured for the same ...
Troubleshooting Tip: RADIUS authentication failure after the firmware upgrade to v7.2.10/v7.4.5/v7.6...
Technical Tip: RADIUS authentication with MAC binding
Technical Tip: RADIUS attributes sent to the server by the FortiGate as a RADIUS client  

Labels:
156
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.