RADIUS Authentication
Except FortiWAN’s local authentication database described above, FortiWAN supports RADIUS authentication for Web UI login. Please make sure the following settings are complete on the RADIUS server working with FortiWAN.
Add Fortinet’s Vender Specific Attribute (VSA) to /etc/raddb/dictionary:
VENDOR Fortinet 12356 BEGIN‐VENDOR Fortinet …
ATTRIBUTE Fortinet‐FWN‐AVPair 26 string …
END‐VENDOR Fortinet
“12356” is Fortinet’s vender ID, “Fortinet-FWN-AVPair” is the attribute used for working with FortiWAN and “26” is the attribute ID. If the RADIUS server serves with other Fortinet products, please add the correspondent attributes between BEGIN‐VENDOR Fortinet and END‐VENDOR Fortinet.
Construct user database on RADIUS server for authentication. For example, we have accounts
“Administrator/1234” and “admin/(null)” belong to Administrator group, and “Monitor/5678” belongs to Monitor group.
Add the followings to /etc/raddb/users:
Administrator User‐Password := “1234”
Fortinet‐FWN‐AVPair := “user‐group=Administrator” admin User‐Password := “”
Fortinet‐FWN‐AVPair := “user‐group=Administrator”
Monitor User‐Password := “5678”
Fortinet‐FWN‐AVPair := “user‐group=Monitor”
Please make sure “user-group” is specified for every account, or FortiWAN denies the login even the account and password are authorized by RADIUS server.
To enable FortiWAN’s RADIUS authentication, please click the checkbox and complete the configuration below.
| Priority | Determines priority to the two authentications:
RADIUS, Local Database: Authorize a login via RADIUS first, then try local database if the authentication failed in RADIUS. Local Database, RADIUS: Authorize a login via local database first, then try RADIUS if the authentication failed in local database. |
| Server IP | IP address of the RADIUS server. |
| Server Port | UDP port number of the RADIUS server (The standard port is 1812, but it might be 1645 for earlier RADIUS). |
| Secret | The secret (password) shared with the RADIUS server. |
| NAS IP | Enter the correspondent NAS-IP-Address attribute for Request/Response Authenticator if it is necessary, or leave it blank. See RFC2865 for details. |
| NAS Port | Enter the correspondent NAS-Port attribute for Request/Response Authenticator if it is necessary, or leave it blank. See RFC2865 for details. |
| Apply | Click to apply the configuration. |