FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
lfrancelj
Staff
Staff
Article Id 191167

Description

 

This article describes how to configure FortiNAC as a RADIUS proxy with FortiGate and FortiAuthenticator.

Related document:
RADIUS - FortiNAC administration guide

 

Scope

 

FortiNAC.

Solution

 

  1. Log in to the FortiAuthenticator GUI and go to Authentication -> RADIUS Service -> Clients and select '+ Create New'.
  2. Enter RADIUS client details as shown in the following example:

 
  1. Create a user group that will be applied to RADIUS policy with RADIUS attributes that needs to be sent to FortiGate.

 
  1. Create new policy under Authentication -> RADIUS Service -> Policies.
 
 
 
Make sure to enable 'Filter' under 'Groups' and select the group that was created earlier.
 
  1. Add RADIUS server under Network Devices -> RADIUS settings:
 
 
After all the details have been entered, select 'Test and Save'.
 
  1. Go to the network unit under 'Topology'. To enable RADIUS authentication, select the unit and select 'Model Configuration':

 
  1. In the 'Model Configuration' window, enable RADIUS authentication and select Primary and secondary RADIUS server if not default:
  
 
Enter the RADIUS secret for the unit and select 'Apply'.
 
  1. Add FortiNAC as a RADIUS server on the FortiGate.

 
  1. Create a user group on FortiGate that is matching the same name as RADIUS attribute configured on FortiAuthenticator.
 
 
Troubleshooting:
 
  1. When modifying a RADIUS server, the error message 'Please enter valid RADIUS Secret' may appear after selecting 'Test and Save':

 
To solve this, select 'OK' and select the 'Show' button next to the RADIUS secret. Then, select 'Test and Save':
 
 
  1. If the message 'Unable to contact RADIUS Server. Do you want to save these changes anyway?' appears when modifying the RADIUS server, verify whether the RADIUS secret is correct.

  2. To verify whether RADIUS queries are being forwarded to the RADIUS server, open two SSH sessions to FortiNAC and run the following commands for each session:
  • SSH1:

 

tcpdump -vvnni any 'port 1812 and host A.A.A.A' <----- Where A.A.A.A is the IP address from the RADIUS server.

 

  • SSH2:

 

tcpdump -vvnni any 'port 1812 and host B.B.B.B' <----– Where B.B.B.B is the IP address from the network unit that is sending RADIUS authentication requests.

 
Related article: