Technical Tip: How to Administratively Access FortiNAC using External RADIUS server

Hawada1 · ‎10-14-2022

Description

This article describes how to administratively access FortiNAC using external RADIUS server like FortiAuthenticator.

Scope

FortiNAC, FortiAuthenticator.

Solution

1) First Add the FortiAuthenticator to FortiNAC under the Network -> RADIUS Proxy tab.

2) FortiAuthenticator must be set as the 'Default for Primary RADIUS Server'.

3) Create a new username on FortiNAC under Users & Hosts -> Administrators -> Users tab (This username must match with the username configured on FortiAuthenticator otherwise authentication will fail):

4) On FortiAuthenticator create a local user and assign it to a User Group:

5) Add FortiNAC as a RADIUS client on FortiAuthenticator:

6) Then create a RADIUS policy to allow the local user group authentication:

7) User successfully authenticated to FortiNAC:

FortiAuthenticator RADIUS debug logs:

2022-10-14T08:15:44.943858-07:00 FortiAuthenticator radiusd[27383]: (3) Received Access-Request Id 57 from 192.168.x.x:47221 to 192.168.x.x:1812 length 81
2022-10-14T08:15:44.943887-07:00 FortiAuthenticator radiusd[27383]: (3) User-Name = "hawada"
2022-10-14T08:15:44.943897-07:00 FortiAuthenticator radiusd[27383]: (3) User-Password: ******
2022-10-14T08:15:44.943936-07:00 FortiAuthenticator radiusd[27383]: (3) NAS-Port = 36123
2022-10-14T08:15:44.943947-07:00 FortiAuthenticator radiusd[27383]: (3) NAS-Identifier = "xxx.forti.lab"
2022-10-14T08:15:44.943957-07:00 FortiAuthenticator radiusd[27383]: (3) NAS-IP-Address = 192.168.x.x
2022-10-14T08:15:44.944001-07:00 FortiAuthenticator radiusd[27383]: (3) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2022-10-14T08:15:44.944163-07:00 FortiAuthenticator radiusd[27383]: (3) facauth: ===>NAS IP:192.168.x.x
2022-10-14T08:15:44.944187-07:00 FortiAuthenticator radiusd[27383]: (3) facauth: ===>Username:hawada
2022-10-14T08:15:44.944204-07:00 FortiAuthenticator radiusd[27383]: (3) facauth: ===>Timestamp:1665760544.943205, age:0ms
2022-10-14T08:15:44.945745-07:00 FortiAuthenticator radiusd[27383]: (3) facauth: Found authclient from preloaded authclients list for 192.168.x.x: FNAClatest (192.168.x.x)
2022-10-14T08:15:44.948057-07:00 FortiAuthenticator radiusd[27383]: (3) facauth: Found authpolicy 'FNAC-Access' for client '192.168.x.x

2022-10-14T08:15:44.950023-07:00 FortiAuthenticator radiusd[27383]: (3) facauth: Authentication OK
2022-10-14T08:15:44.950030-07:00 FortiAuthenticator radiusd[27383]: (3) facauth: Setting 'Post-Auth-Type := FACAUTH'
2022-10-14T08:15:44.950626-07:00 FortiAuthenticator radiusd[27383]: (3) facauth: Updated auth log 'hawada': Local user authentication with no token successful
2022-10-14T08:15:44.950653-07:00 FortiAuthenticator radiusd[27383]: (3) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-10-14T08:15:44.950666-07:00 FortiAuthenticator radiusd[27383]: (3) Sent Access-Accept Id 57 from 192.168.x.x:1812 to 192.168.x.x:47221 length 0

To log in with 2 Factor Authentication (2FA) User configured on FortiAuthenticator you need to do the following:

1) Create a local user on FortiNAC with the same username as the LDAP user and keep it as the local user.
2) Login to FortiNAC using this local user and accept the policy and terms in FortiNAC .
3) Then switch the user Authentication type: 'RADIUS' on FortiNAC.
4) it will be possible to administratively access FortiNAC with a concatenated password and Token (password+Token ex: 'P@ssword<token>').