NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Article Id 198153
This article describes how to configure FortiNAC as a RADIUS proxy.
This can be useful in case of implementing wired or wireless 802.1x authentication.

Related link:

- RADIUS server such as FortiAuthenticator, Microsoft NPS.

- RADIUS server needs to support PEAP, PAP and MSCHAPv2.

1) Add RADIUS server under Network Devices -> RADIUS settings.

2) Enter RADIUS server details.

- Select 'Test and Save', Password Authentication Protocol (PAP) is required for this test.

3) Go to the network unit under 'Topology' wanted to enable RADIUS authentication, select the unit and select 'Model Configuration':

4) In  'Model Configuration' , enable RADIUS authentication and select Primary and secondary RADIUS server if not default.

- Enter RADIUS secret for the unit and select 'Apply'.


1) When modifying RADIUS server the error message 'Please enter valid RADIUS Secret' is appearing after selecting 'Test and Save'.

- In this case, select 'OK' and select 'Show' next to RADIUS Secret and then select 'Test and Save'.

2) In the message 'Unable to contact RADIUS Server. Do you want to save these changes anyway?' is appearing when modifying RADIUS server, verify if the RADIUS secret is correct.
It is the same string of characters on each side.

3) To verify if RADIUS queries are being forwarded to RADIUS server, open two SSH sessions to FortiNAC and run below commands for each session:

SSH #1:
tcpdump -i any -vvnnXS 'port 1812 and host A.A.A.A'                 <----- where A.A.A.A is the IP address from the RADIUS server.
SSH #2:
tcpdump -i any -vvnnXS 'port 1812 and host B.B.B.B'                 <----– where B.B.B.B is the IP address from the network unit that is sending RADIUS authentication requests.

Related Articles

Technical Tip: Microsoft NPS as RADIUS client for active-directory authentication