FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes a solution for a situation where, even though the custom NAS-ID is configured, FortiGate is still sending the hostname as the NAS-ID in 7.2.x versions.
Scope
FortiGate.
Solution
As a new feature in v7.2.0, RADIUS NAS-ID can be configured as a custom or hostname so that FortiGate can use the user NAS-ID in its access-request.
config user radius
edit < server > set nas-id-type custom set nas-id Fortinas next end
In the wireshark capture below, it is seen that FortiGate is sending the hostname as NAS-ID, which is not expected.
RADIUS Protocol Code: Access-Request (1) Packet identifier: 0x0 (0) Length: 124 Authenticator: abc3946e1e24169150998e772ef3669e [The response to this request is in frame 2] Attribute Value Pairs AVP: t=NAS-Identifier(32) l=13 val=z0089twofafw Type: 32 Length: 13 NAS-Identifier: z0089twofafw
In 7.2.x versions, this new feature is only supported on wireless authentication. When using other authentication methods, the custom NAS-ID feature will be supported in version 7.4.2 and above. In order to use any other authentication methods with a custom NAS-ID, upgrade to v7.4.2 or above.
