RADIUS authentication for SSL VPN with FortiAuthenticator


This recipe describes how to set up FortiAuthenticator to function as a RADIUS server for FortiGate SSL VPN authentication. It involves adding users to FortiAuthenticator, setting up the RADIUS client on the FortiAuthenticator, and then configuring the FortiGate to use the FortiAuthenticator as a RADIUS server.

1. Creating the User(s) on FortiAuthenticator

From the FortiAuthenticator GUI, go to Authentication > User Management > Local Users, and select Create New.

Enter a name for the user (in the example, ckent), enter and confirm a password, and select OK. Select OK again to bypass optional settings.

Next, go to Authentication > User Management > User Groups, and add a user group for the FortiGate users. Add the desired users to the group.

2. Creating the RADIUS Client on FortiAuthenticator

Go to Authentication > RADIUS Service > Clients, and select Create New.

Enter a name for the RADIUS Client, set Client name/IP to the IP of the FortiGate, and set a Secret. The Secret is a pre-shared, secure password that the FortiGate will use to authenticate to the FortiAuthenticator.

Be sure to set Authentication method to Password-only authentication (exclude users without a password), and set Realms to local | Local users.

3. Connecting the FortiGate to the RADIUS Server

From the FortiGate GUI, go to User & Device > Authentication > RADIUS Servers, and select Create New.

Enter a name for the RADIUS server, enter the IP address of the FortiAuthenticator, and enter the Secret created before.

Test the connectivity and enter the credentials for ‘ckent’. The test should come back with a successful connection.

4. Creating the RADIUS User Group on the FortiGate

Go to User & Device > User > User Groups, and select Create New.

Enter a name for the user group, and under Remote Groups, select Create New.

Select FAC-RADIUS under the Remote Server dropdown.

FAC-RADIUS has been added to the RADIUS group.

5. Configuring the SSL VPN

From the FortiGate GUI, go to VPN > SSL > Portals, and edit the full-access portal.

Disable Split Tunneling.

Go to VPN > SSL > Settings.

Under Connection Settings set Listen on Port to 10443.

Under Tunnel Mode Client Settings, select Specify custom IP ranges and set it to SSLVPN_TUNNEL_ADDR1.

Under Authentication/Portal Mapping, select Create New.

Assign the RADIUSgroup user group to the full-access portal, and assign All Other Users/Groups to the desired portal.

Select the prompt at the top of the screen to create a new SSL-VPN policy.

Set Source User(s) to the RADIUSgroup user group.

Set Outgoing Interface to wan1 and Destination Address to all.

Set Service to ALL and ensure that you enable NAT.


6. Results

From a remote device, access the SSL VPN Web Portal.

Enter valid RADIUS credentials (in the example, ckent).

‘ckent’ is now successfully logged into the SSL VPN Portal.

From the FortiGate GUI, go to VPN > Monitor > SSL-VPN Monitor to confirm the connection.


Fortinet Technical Documentation

Contact Fortinet Technical Documentation at techdoc@fortinet.com.
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)