FortiNAC - internal Radius server attributes how to
I am playing with the Radius attribute setup in FortiNAC (9.4.1) and probably missing logic behind these settings.
What I would like to achieve is a solution that FortiNAC returns to the switch a specific value of Service-Type attribute when the admin user do login to the CLI of the switch.
FortiNAC internal Radius works for this type of authentication for example with the FortiSwitch. But FSW does not need to get in the Accept message any specific attribute.
I have created a new attribute in the Radius config and assigned this attribute to the switch as its default Radius attribute but in the pcap I do not see any attribute to be sent back to the test switch in the accept message.
Could you please help me to figure out what is the correct way how to configure the new Radius attribute? FAC or MS NPS works with authentication realms that contain some kind of conditions to be used and action that should be taken. Is this anyhow similar to attribute creation in FortiNAC and how exactly works parameter %ACCESS_VALUE%? Thank you very much.
The approach you described is valid. The root cost of my issue with no attribute to be sent back to the client seems to be the fact that the FNAC Radius server requires to get NAS-Identifier and Calling-Station-Id attributes in the Radius request to send any attribute back to the Radius client. When those attributes are received all works fine.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.