Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Markus_M
Staff
Staff

Created on ‎03-13-2020 08:39 AM Edited on ‎01-31-2024 06:12 AM By Moderator

Article Id 198153

Technical Tip: RADIUS Proxy

Description
This article describes how to configure FortiNAC as a RADIUS proxy.
This can be useful in case of implementing wired or wireless 802.1x authentication.

Related link:

https://docs.fortinet.com/document/fortinac/8.6.0/administration-guide/214558/radius

Scope
- RADIUS server such as FortiAuthenticator, Microsoft NPS.

- RADIUS server needs to support PEAP, PAP and MSCHAPv2.

Solution
1) Add RADIUS server under Network Devices -> RADIUS settings.

 
 
2) Enter RADIUS server details.
 
 
 
- Select 'Test and Save', Password Authentication Protocol (PAP) is required for this test.
 
3) Go to the network unit under 'Topology' wanted to enable RADIUS authentication, select the unit and select 'Model Configuration':
 
 
 
 
4) In  'Model Configuration' , enable RADIUS authentication and select Primary and secondary RADIUS server if not default.
 
 
 
 
- Enter RADIUS secret for the unit and select 'Apply'.
 
Troubleshooting.
 
1) When modifying RADIUS server the error message 'Please enter valid RADIUS Secret' is appearing after selecting 'Test and Save'.
 
 
 
 
- In this case, select 'OK' and select 'Show' next to RADIUS Secret and then select 'Test and Save'.
 
 
 
2) In the message 'Unable to contact RADIUS Server. Do you want to save these changes anyway?' is appearing when modifying RADIUS server, verify if the RADIUS secret is correct.
It is the same string of characters on each side.

3) To verify if RADIUS queries are being forwarded to RADIUS server, open two SSH sessions to FortiNAC and run below commands for each session:

SSH #1:
tcpdump -i any -vvnnXS 'port 1812 and host A.A.A.A'                 <----- where A.A.A.A is the IP address from the RADIUS server.
SSH #2:
tcpdump -i any -vvnnXS 'port 1812 and host B.B.B.B'                 <----– where B.B.B.B is the IP address from the network unit that is sending RADIUS authentication requests.

 

Related Articles

Technical Tip: Microsoft NPS as RADIUS client for active-directory authentication

4090
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.