Technical Tip: How to create network access policy via RADIUS Request Attribute

sjerry · ‎08-29-2024

Description

This article describes how to use attributes from a RADIUS Request to create a condition for a user host profile.

Scope

FortiNAC, CentOS, nacOS.

Solution

Enable debugs if needed:

CentOS.

nacdebug -name FingerprintServer true

> tail -F output.master | grep -i FingerprintServer

NacOS.

execute-enter shell

nacdebug -name FingerprintServer true

Examine logs if needed.

godzilla # diagnose tail -F output.master | grep -i FingerprintServer

Example below include MSCHAPv2, PEAP, and EAP TLS.

MSCHAPv2, PEAP:

The syntax must exactly be the same as what receiving or it is possible to do a '*' if needed.

EAP-Type-Name = MSCHAPv2*

Validate:
Go to users & hosts -> host -> 'right click' -> policy details.

Policy detail.png

EAP TLS.

Validate:
Go to users & hosts -> host -> 'right click' -> policy details.

Radius Attributes can also be used to register the hosts using a device profiling rule as shown in screenshot below

device profiler general.png

Select Methods -> RADIUS -> Fill in RADIUS type and other details as in the example screenshot below:

DPR methods.png

A users and hosts rule can be created using role information the host will receive from step 1.

TLS radius host role.png

You are leaving our website