Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Hawada1
Staff
Staff

Created on ‎10-14-2022 09:10 AM Edited on ‎12-04-2022 11:55 AM By Community Manager

Article Id 226728

Technical Tip: How to Administratively Access FortiNAC using External RADIUS server

Description This article describes how to administratively access FortiNAC using external RADIUS server like FortiAuthenticator.
Scope FortiNAC, FortiAuthenticator.
Solution

1) First Add the FortiAuthenticator to FortiNAC under the Network -> RADIUS Proxy tab.

 

2) FortiAuthenticator must be set as the 'Default for Primary RADIUS Server'.

 

Hawada1_0-1665761269386.jpeg

 

3) Create a new username on FortiNAC under Users & Hosts -> Administrators -> Users tab (This username must match with the username configured on FortiAuthenticator otherwise authentication will fail):

 

Hawada1_1-1665761269389.png

 

4) On FortiAuthenticator create a local user and assign it to a User Group:

 

Hawada1_2-1665761269391.png

 

5) Add FortiNAC as a RADIUS client on FortiAuthenticator:

 

Hawada1_3-1665761269394.png

 

6) Then create a RADIUS policy to allow the local user group authentication:

 

Hawada1_4-1665761269399.png

 

Hawada1_5-1665761269403.png

 

Hawada1_6-1665761269410.png

 

7) User successfully authenticated to FortiNAC:

 

Hawada1_7-1665761269410.png

 

FortiAuthenticator RADIUS debug logs:


2022-10-14T08:15:44.943858-07:00 FortiAuthenticator radiusd[27383]: (3) Received Access-Request Id 57 from 192.168.x.x:47221 to 192.168.x.x:1812 length 81
2022-10-14T08:15:44.943887-07:00 FortiAuthenticator radiusd[27383]: (3) User-Name = "hawada"
2022-10-14T08:15:44.943897-07:00 FortiAuthenticator radiusd[27383]: (3) User-Password: ******
2022-10-14T08:15:44.943936-07:00 FortiAuthenticator radiusd[27383]: (3) NAS-Port = 36123
2022-10-14T08:15:44.943947-07:00 FortiAuthenticator radiusd[27383]: (3) NAS-Identifier = "xxx.forti.lab"
2022-10-14T08:15:44.943957-07:00 FortiAuthenticator radiusd[27383]: (3) NAS-IP-Address = 192.168.x.x
2022-10-14T08:15:44.944001-07:00 FortiAuthenticator radiusd[27383]: (3) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2022-10-14T08:15:44.944163-07:00 FortiAuthenticator radiusd[27383]: (3) facauth: ===>NAS IP:192.168.x.x
2022-10-14T08:15:44.944187-07:00 FortiAuthenticator radiusd[27383]: (3) facauth: ===>Username:hawada
2022-10-14T08:15:44.944204-07:00 FortiAuthenticator radiusd[27383]: (3) facauth: ===>Timestamp:1665760544.943205, age:0ms
2022-10-14T08:15:44.945745-07:00 FortiAuthenticator radiusd[27383]: (3) facauth: Found authclient from preloaded authclients list for 192.168.x.x: FNAClatest (192.168.x.x)
2022-10-14T08:15:44.948057-07:00 FortiAuthenticator radiusd[27383]: (3) facauth: Found authpolicy 'FNAC-Access' for client '192.168.x.x

2022-10-14T08:15:44.950023-07:00 FortiAuthenticator radiusd[27383]: (3) facauth: Authentication OK
2022-10-14T08:15:44.950030-07:00 FortiAuthenticator radiusd[27383]: (3) facauth: Setting 'Post-Auth-Type := FACAUTH'
2022-10-14T08:15:44.950626-07:00 FortiAuthenticator radiusd[27383]: (3) facauth: Updated auth log 'hawada': Local user authentication with no token successful
2022-10-14T08:15:44.950653-07:00 FortiAuthenticator radiusd[27383]: (3) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-10-14T08:15:44.950666-07:00 FortiAuthenticator radiusd[27383]: (3) Sent Access-Accept Id 57 from 192.168.x.x:1812 to 192.168.x.x:47221 length 0

 

To log in with 2 Factor Authentication (2FA) User configured on FortiAuthenticator you need to do the following:


1) Create a local user on FortiNAC with the same username as the LDAP user and keep it as the local user.
2) Login to FortiNAC using this local user and accept the policy and terms in FortiNAC .
3) Then switch the user Authentication type: 'RADIUS' on FortiNAC.
4) it will be possible to administratively access FortiNAC with a concatenated password and Token (password+Token ex: 'P@ssword<token>').
1982
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.