The RADIUS user database is commonly an SQL or LDAP database, but can also be any combination of: When a configured user attempts to access the network, the Forti Gate unit will forward the authentication request to the RADIUS server which will match the username and password remotely.
Once authenticated the RADIUS server passes the authorization granted message to the Forti Gate unit which grants the user permission to access the network.
Multiple Forti Gate units can use a single Forti Authenticator for FSSO, remote authentication, and Forti Token management.
For more information, see the Forti Authenticator Administration Guide.
Forti OS does not accept all characters from auto generated keys from MS Windows 2008.
These keys are very long and as a result RADIUS authentication will not work.
Role authorization is accomplished when a network administrator creates that user’s RADIUS account and assigns them to the required groups for that role.This dictionary is typically supplied by the client or server vendor. The Forti Gate unit RADIUS VSA dictionary is supplied by Fortinet and is available through the Fortinet Knowledge Base ( or through Technical Support.Fortinet’s dictionary for Forti OS 4.0 and up is configured this way: ## Fortinet’s VSA’s # VENDOR fortinet 12356 BEGIN-VENDOR fortinet ATTRIBUTE Fortinet-Group-Name 1 string ATTRIBUTE Fortinet-Client-IP-Address 2 ipaddr ATTRIBUTE Fortinet-Vdom-Name 3 string ATTRIBUTE Fortinet-Client-IPv6-Address 4 octets ATTRIBUTE Fortinet-Interface-Name 5 string ATTRIBUTE Fortinet-Access-Profile 6 string # # Integer Translations # END-VENDOR Fortinet Note that using the Fortinet-Vdom-Name, users can be tied to a specific VDOM on the Forti Gate unit.Maximum key length for MS Windows 2008 is 128 bytes. Microsoft Windows Server 2000, 2003, and 2008 have RADIUS support built-in.Microsoft specific RADIUS features are defined in RFC 2548.RADIUS servers are currently defined by RFC 2865 (RADIUS) and RFC 2866 (Accounting), and listen on either UDP ports 1812 (authentication) and 1813 (accounting) or ports 1645 (authentication) and 1646 (accounting) requests.RADIUS servers exist for all major operating systems.For example, a junior accountant does not require access to the sales presentations, or network user account information.There are three main parts to RBAC: role assignment, role authorization, and transaction authorization.If VDOMs are enabled, the matched group will be limited to a specific VDOM.Using this method network administrators can separate users into groups that match resources, protocols, or VDOMs.