FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
lfrancelj
Staff
Staff
Article Id 191167
Description
This article describes how to configure FortiNAC as a RADIUS proxy with FortiGate and FortiAuthenticator.

Related link.
https://docs.fortinet.com/document/fortinac/8.6.0/administration-guide/214558/radius

Solution
1) Login to FortiAuthenticator GUI and go to Authentication -> RADIUS Service -> Clients and select '+ Create New'.
2) Enter RADIUS client details as shown in following example:





3) Create a user group that will be applied to RADIUS policy with RADIUS attributes that needs to be sent to FortiGate.




4) Create new policy under Authentication -> RADIUS Service -> Policies.







Make sure to enable 'Filter' under 'Groups' and select the group that was created earlier.

5) Add RADIUS server under Network Devices -> RADIUS settings:



After all the details entered, select 'Test and Save'.

7) Go to the network unit under 'Topology' where to enable RADIUS authentication, select the unit and select 'Model Configuration':




8) In the 'Model Configuration' window, enable RADIUS authentication and select Primary and secondary RADIUS server if not default:





- Enter RADIUS secret for the unit and select 'Apply'.

9) Add FortiNAC as RADIUS server on the FortiGate.




10) Create a user group on FortiGate that is matching the same name as RADIUS attribute configured on FortiAuthenticator.





Troubleshooting.

1) When modifying RADIUS server error message 'Please enter valid RADIUS Secret' can appear after selecting 'Test and Save':




- To solve this, select 'OK' and select 'Show' button next to RADIUS Secret and select 'Test and Save':





2) In case the message 'Unable to contact RADIUS Server. Do you want to save these changes anyway?' appears when modifying RADIUS server, verify if the RADIUS secret is correct.

3) To verify if RADIUS queries are being forwarded to RADIUS server, open two SSH sessions to FortiNAC and run below commands for each session:

- SSH1: tcpdump -vvnni any 'port 1812 and host A.A.A.A' – where A.A.A.A is the IP address from the RADIUS server.
- SSH2: tcpdump -vvnni any 'port 1812 and host B.B.B.B' – where B.B.B.B is the IP address from the network unit that is sending RADIUS authentication requests.


Contributors