Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
matanaskovic
Staff
Staff

Created on ‎09-05-2017 04:32 PM

Article Id 198220

Technical Tip: Enable profile based on RADIUS attributes

Purpose
This article describeshow to configure different RADIUS profiles in RADIUS policy.

Profiles will be applied in top-to-bottom order based on matching RADIUS attributes.
If the profile has no attributes to match, that profile will always be applied before any beneath it.

Expectations, Requirements
FortiAuthenticator supports a single authentication profile for each RADIUS Auth Client.
Because of this, authentication (for example IPsec/SSLVPN, Web Filtering Override, Wireless Authentication, and so on) requires different profiles, as RADIUS authentication requests originate from the same IP address.
To distinguish the authentication requirements, add attributes to them. Attributes (which can be added to authentication requirements) indicate the type of service the user has requested, or the type of service to be provided.

The profiles created can be re-arranged in terms of priority.
FortiAuthenticator attempts to match the RADIUS attributes from an authentication request to each profile, starting with the highest-priority profile, and moves down the list until it finds a match.
FortiAuthenticator uses the first profile that it matches.
Each FortiAuthenticator Auth Client Profile can contain up to two RADIUS Attributes. To match a profile, all specified attributes in a profile must match, if not, the processing will fall to the next profile (processed in top-down order).

Configuration
Message: Profiles will be applied in top-to-bottom order based on matching RADIUS attributes.
If the profile has no attributes to match, that profile will always be applied before any beneath it.

1) The policy name, description, and clients. Choose the clients to which this policy applies.




2) The attributes that must be present in the RADIUS authentication request to be processed by this policy.




3) Authentication type of end-user authentication used by this policy.




4) The identity sources against which to authenticate end-users. Identity source settings vary depending on the authentication type selected.




5) Authentication factor settings are only displayed for Password/OTP and EAP-TLS authentication types.




6) The content of the RADIUS authentication response based on the outcome of the authentication.




Repeat the same procedure to each new profile.

Labels:
1249
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.