Description
This article describes how to configure FortiNAC as a RADIUS proxy with FortiGate and FortiAuthenticator.
Related document:
RADIUS - FortiNAC administration guide
Scope
FortiNAC.
Solution
- Log in to the FortiAuthenticator GUI and go to Authentication -> RADIUS Service -> Clients and select '+ Create New'.
- Enter RADIUS client details as shown in the following example:
- Create a user group that will be applied to RADIUS policy with RADIUS attributes that needs to be sent to FortiGate.
- Create new policy under Authentication -> RADIUS Service -> Policies.
Make sure to enable 'Filter' under 'Groups' and select the group that was created earlier.
- Add RADIUS server under Network Devices -> RADIUS settings:
After all the details have been entered, select 'Test and Save'.
- Go to the network unit under 'Topology'. To enable RADIUS authentication, select the unit and select 'Model Configuration':
- In the 'Model Configuration' window, enable RADIUS authentication and select Primary and secondary RADIUS server if not default:
Enter the RADIUS secret for the unit and select 'Apply'.
- Add FortiNAC as a RADIUS server on the FortiGate.
- Create a user group on FortiGate that is matching the same name as RADIUS attribute configured on FortiAuthenticator.
Troubleshooting:
- When modifying a RADIUS server, the error message 'Please enter valid RADIUS Secret' may appear after selecting 'Test and Save':
To solve this, select 'OK' and select the 'Show' button next to the RADIUS secret. Then, select 'Test and Save':
- If the message 'Unable to contact RADIUS Server. Do you want to save these changes anyway?' appears when modifying the RADIUS server, verify whether the RADIUS secret is correct.
- To verify whether RADIUS queries are being forwarded to the RADIUS server, open two SSH sessions to FortiNAC and run the following commands for each session:
tcpdump -vvnni any 'port 1812 and host A.A.A.A' <----- Where A.A.A.A is the IP address from the RADIUS server.
tcpdump -vvnni any 'port 1812 and host B.B.B.B' <----– Where B.B.B.B is the IP address from the network unit that is sending RADIUS authentication requests.
Related article: