FortiAuthenticator provides access management and single sign on.
Article Id 192308
Description This article will describes how to create an admin profile and have the radius server select the appropriate profile for a Radius user.
Scope Fortigate, Fortiauthenticator
  1. Configure the FortiGate with the Radius server.

Go to User & Device -> Authentication -> Radius Server.


Name: FGT-Radius
Primary Server IP/Name:
Primary Server Secret: radius_secret


Or run the equivalent in the CLI:


config user radius
    edit "FGT-Radius"
        set server
        set secret radius_secret





Can optionally set a source IP address for the FortiGate to use when contacting the Radius server by using the following commands:


config user radius
    edit "FGT-Radius"
        set source-ip


  1. Configure the RADIUS server to send the appropriate vendor-specific attributes (VSAs).

    Verify that the RADIUS server is configured to send down the appropriate vendor-specific attributes (VSA). 

    In order to send an appropriate group membership and access profile VSA 1 and VSA 6 will need to be set.


    VENDOR fortinet 12356
    ATTRIBUTE Fortinet-Group-Name       1   string
    ATTRIBUTE Fortinet-Access-Profile   6   string


    In this example:


    Attribute 1 is set to Firewall_Admins.
    Attribute 6 is set to Radius_User_Access.


    A list of all of Fortinet's VSA is available here.







  2. Create a user group on FortiGate.


    Go to User & Device -> User -> User group and create a Firewall group. 

    Create New Remote Server and add the Radius Server. 

    In the group's field, include the string that was configured as Attribute 1 on the RADIUS server. 
    In this example, the string used was 'Firewall_Admins'.

    Name: Radius_group
    Remote group:
    Remote Server: FGT-Radius
    Groups: Firewall_Admins







  3. Create two admin profiles.

    Go to System -> Admin -> Admin Profiles and create 2 profiles:

    First profile.

    Profile Name: no_access
    Access Control: None




    Second profile.

    Profile Name: Radius_User_Access (note that the name of the profile needs to match which is specified for VSA 6).

    Access Control: Specify the desired permissions.




  4. Create an admin user.

    • Go to System -> Admin -> Admin -> Administrators.

    • Create a new admin with the type Remote.

    • Select the User Group.

    • Select type wildcard.

    • Select the no_access profile .



Then in the CLI run the following in order to allow the profile passed down by the radius server to override the current no_access profile:


config system admin
     edit Radius_Admins
     set accprofile-override enable





  1. Log into FortiGate using the new RADIUS user.






  2. Troubleshooting steps if it is not working as expected.


    If appropriate permissions is not received, run the following commands in the CLI:


    diag debug app fnbamd -1
    diag debug app radius -1
    diag debug enable
    diag test authserver radius <server_name> <chap | pap | mschap | mschap2> <username> <password>

    A successful output will appear as follows:


    [1932] handle_req-Rcvd auth req 7658224 for radius_admins in Radius_group opt=00014001 prot=11
    [424] __compose_group_list_from_req-Group 'Radius_group', type 1
    [617] fnbamd_pop3_start-radius_admins
    [336] fnbamd_create_radius_socket-Opened radius socket 16
    [336] fnbamd_create_radius_socket-Opened radius socket 17
    [1372] fnbamd_radius_auth_send-Compose RADIUS request
    [1332] fnbamd_rad_dns_cb->
    [1310] __fnbamd_rad_send-Sent radius req to server 'FGT-Radius': fd=16, IP= code=1 id=113 len=125 user="radius_admins" using PAP
    [313] radius_server_auth-Timer of rad 'FGT-Radius' is added
    [743] auth_tac_plus_start-Didn't find tac_plus servers (0)
    [481] ldap_start-Didn't find ldap servers
    [591] create_auth_session-Total 1 server(s) to try
    [1381] fnbamd_auth_handle_radius_result-Timer of rad 'FGT-Radius' is deleted
    [1772] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
    [354] extract_success_vsas-FORTINET attr, type 6, val Radius_User_Access
    [320] extract_success_vsas-FORTINET attr, type 1, val Firewall_Admins

    [1407] fnbamd_auth_handle_radius_result-->Result for radius svr 'FGT-Radius' is 0
    [1331] fnbamd_radius_group_match-Passed group matching
    [1059] find_matched_usr_grps-Group 'Radius_group' passed group matching
    [1060] find_matched_usr_grps-Add matched group 'Radius_group'(10)
    [217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 7658224, len=2061
    [747] destroy_auth_session-delete session 7658224
    [2446] handle_req-Rcvd 7 req
    [308] fnbamd_acct_start_START-Error getting radius server
    [1469] create_acct_session-Error start acct type 7
    [2460] handle_req-Error creating acct session 7

    diag test authserver radius FGT-Radius pap radius_admins P@ssword123

    authenticate 'radius_admins' against 'pap' succeeded, server=primary assigned_rad_session_id=7658226 assigned_admin_profile=Radius_User_Access session_timeout=0 secs idle_timeout=0 secs!
    Group membership(s) - Firewall_Admins

Related articles:

Technical Tip: Fortinet RADIUS attribute.

Technical Tip: FortiGate Radius VSA Dictionary (vendor-specific attributes).