Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

how configure NPS to authenticate FortiGate Administrators

Hi all,

I face an issue never occurred before..

I configured radius server (Windows 2008R2 NPS) to athenticate administrators of a Fortigate (release 5.0.11).

In Microsoft eventviewer I see the user that have been granted access, but, in FortiGate log, the user access is refused due to "incorrect password"..

there are some special tricks to be configured?

any required Vendor-specifica attributes to be configured on NPS?

many thanks!



Valued Contributor III

You need to use LDAP for [strike]admin[/strike] (should have read SSL VPN) users. With NPM, you need to be authenticated before permission is granted. This is primarily used for AD group filtering for Internet access.


Edited for incorrect content. -rp

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at:


So I'll remove Radius and I'll configure LDAP servers in Fortigate..

It was the last chance in my mind..

by the way it was strange that Radius cannot be used for authenticate administrators.

Thank you very much!



RADIUS can be used for admin users as well as LDAP and TACACS+ .. even for wildcard admin users (1:N) so one admin account on FGT for many matching ones on RADIUS server. I would suggest check KB for "radius admin" or "radius wildcard", very first hits/technotes will give you idea.


Usual caveats are:

- radius server configured on FGT is used for admins and users or even "use in all groups" is turned on, I'd suggest to make dedicated RADIUS server config and firewall user group just for admin authentication

- group match is set but RADIUS server do not return set string in Fortinet-Group-Name AVP, and therefore group match fail


Another possibility is to open a ticket on support site and attach

- network diagram

- config backup

- RADIUS sniffer (I assume default ports are used so something like CLI output from .. diag sniffer packet any 'port 1812' 6 0 a )

Tom xSilver, planet Earth, over and out!

Esteemed Contributor III

I agreed with all that's been posted and suggest to use a radtest client b4 t-shooting issues within the fortigate. You can manipulate all client side attribute and debug issues.





Valued Contributor III

Dangit! Been out of the loop too long. Confusing admin login with SSL VPN login....

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: