Description
This article describes how to configure FortiNAC as a RADIUS proxy.
This can be useful in case of implementing wired or wireless 802.1x authentication.
Related document:
RADIUS - FortiNAC administration guide
Scope
- RADIUS server such as FortiAuthenticator, Microsoft NPS.
- The RADIUS server needs to support PEAP, PAP and MSCHAPv2.
Solution
- Add RADIUS server under Network Devices -> RADIUS settings.
- Enter RADIUS server details.
Select 'Test and Save'. Password Authentication Protocol (PAP) is required for this test.
- Go to the network unit under 'Topology'. To enable RADIUS authentication, select the unit and select 'Model Configuration':
- In 'Model Configuration', enable RADIUS authentication and select Primary and secondary RADIUS server if they are not the default.
- Enter a RADIUS secret for the unit and select 'Apply'.
Troubleshooting:
- When modifying the RADIUS server, the error message 'Please enter valid RADIUS Secret' appears after selecting 'Test and Save'.
In this case, select 'OK' and select 'Show' next to the RADIUS Secret and then select 'Test and Save'.
- If the message 'Unable to contact RADIUS Server. Do you want to save these changes anyway?' appears when modifying the RADIUS server, verify that the RADIUS secret is correct.
It is the same string of characters on each side.
- To verify if RADIUS queries are being forwarded to the RADIUS server, open two SSH sessions to FortiNAC and run the following commands for each session:
SSH #1:
tcpdump -i any -vvnnXS 'port 1812 and host A.A.A.A' <----- Where A.A.A.A is the IP address from the RADIUS server.
SSH #2:
tcpdump -i any -vvnnXS 'port 1812 and host B.B.B.B' <----– Where B.B.B.B is the IP address from the network unit that is sending RADIUS authentication requests.
Related articles:
