DescriptionThis article lists the variables sent by the FortiGate for customisation of server side NPS policy.
ScopeTested on 5.4.1, should apply to earlier versions.
SolutionSSL VPN RADIUS authentication request:
NAS-Identifier(32): FortiGate_48
User-Name(1): fortinet
Vendor-Specific(26) v=Microsoft(311)
Vendor-Specific(26) v=Microsoft(311)
NAS-Port(5): 1
NAS-Port-Type(61): Virtual(5)
Calling-Station-Id(31): 192.168.196.97
Acct-Session-Id(44): 522001f9
Connect-Info(77): vpn-ssl
Vendor-Specific(26) v=Fortinet, Inc.(12356)
802.11 RADIUS authentication request:
User-Name(1): fortinet
NAS-IP-Address(4): 0.0.0.0
NAS-Identifier(32): 10.156.0.57/5246-RADIUS_WiFi
Called-Station-Id(30): 12-09-0F-76-26-18:RADIUS_WiFi
NAS-Port-Type(61): Wireless-802.11(19)
NAS-Port(5): 0
Calling-Station-Id(31): 90-E7-C4-32-D3-D6
Connect-Info(77): CONNECT 0Mbps 802.11b
Acct-Session-Id(44): 5790EF44-00000CBC
Framed-MTU(12): 1400
EAP-Message(79) Last Segment[1]
State(24): 5e8407b40000013700011700fe8000000000000070bea14d...
Message-Authenticator(80): 7e1c5fba1b251ca7dcd9800f5d109eb7
Therefore when configuring an NPS server to accept connections from the FortiGate, the following attributes may be used to restrict access:
Calling Station ID
User Name
NAS Identifier
NAS IPv4 Address
NAS IPv6 Address
NAS Port Type
To find out the values sent to the server, run a sniffer on RADIUS’s port 1813.
To troubleshoot rejected connections by a Windows server, check the event log under “Network Policy and Access Services”.
See also the Fortinet Cookbook article "SSL VPN with RADIUS Authentication".