Security

Hi Airheads,

I have a customer who wants to use RADIUS with their FortiGate Firewalls for user administration through ClearPass. I need to tighten the ClearPass service match conditions. This will help us distinguish between VPN and Wireless sessions if needed later on. However, I'm unsure about the NAS-Port-Type values that Forti devices send in their RADIUS admin packets.

I think they use NAS-Port 6 (Administrative User), but I'm not certain. In ClearPass, this would be expressed as: RADIUS:IETF Service-Type EQUALS Administrative-User(6).

Forti's documentation mentions only 802.11 and VPN attributes; it doesn't cover RADIUS Admin.

Has anyone done FortiGate RADIUS Admin and knows what values it sends?

Has anyone worked with FortiGate RADIUS Admin and knows the values it sends?

I can't access the firewall right now, so I can't review the session logs on ClearPass. If I could, that would provide the answer.

Why not use TACACS Device Admin?  FortiGate supports TACACS

Hi Airheads,

I have a customer who wants to use RADIUS with their FortiGate Firewalls for user administration through ClearPass. I need to tighten the ClearPass service match conditions. This will help us distinguish between VPN and Wireless sessions if needed later on. However, I'm unsure about the NAS-Port-Type values that Forti devices send in their RADIUS admin packets.

I think they use NAS-Port 6 (Administrative User), but I'm not certain. In ClearPass, this would be expressed as: RADIUS:IETF Service-Type EQUALS Administrative-User(6).

Forti's documentation mentions only 802.11 and VPN attributes; it doesn't cover RADIUS Admin.

Has anyone done FortiGate RADIUS Admin and knows what values it sends?

Has anyone worked with FortiGate RADIUS Admin and knows the values it sends?

I can't access the firewall right now, so I can't review the session logs on ClearPass. If I could, that would provide the answer.

The choice to use RADIUS instead of TACACS was a design decision beyond my control.

Otherwise I only use RADIUS to manage devices where TACACS isn't available.

Why not use TACACS Device Admin?  FortiGate supports TACACS

Hi Airheads,

I have a customer who wants to use RADIUS with their FortiGate Firewalls for user administration through ClearPass. I need to tighten the ClearPass service match conditions. This will help us distinguish between VPN and Wireless sessions if needed later on. However, I'm unsure about the NAS-Port-Type values that Forti devices send in their RADIUS admin packets.

I think they use NAS-Port 6 (Administrative User), but I'm not certain. In ClearPass, this would be expressed as: RADIUS:IETF Service-Type EQUALS Administrative-User(6).

Forti's documentation mentions only 802.11 and VPN attributes; it doesn't cover RADIUS Admin.

Has anyone done FortiGate RADIUS Admin and knows what values it sends?

Has anyone worked with FortiGate RADIUS Admin and knows the values it sends?

I can't access the firewall right now, so I can't review the session logs on ClearPass. If I could, that would provide the answer.

The choice to use RADIUS instead of TACACS was a design decision beyond my control.

Otherwise I only use RADIUS to manage devices where TACACS isn't available.

Why not use TACACS Device Admin?  FortiGate supports TACACS

Hi Airheads,

I have a customer who wants to use RADIUS with their FortiGate Firewalls for user administration through ClearPass. I need to tighten the ClearPass service match conditions. This will help us distinguish between VPN and Wireless sessions if needed later on. However, I'm unsure about the NAS-Port-Type values that Forti devices send in their RADIUS admin packets.

I think they use NAS-Port 6 (Administrative User), but I'm not certain. In ClearPass, this would be expressed as: RADIUS:IETF Service-Type EQUALS Administrative-User(6).

Forti's documentation mentions only 802.11 and VPN attributes; it doesn't cover RADIUS Admin.

Has anyone done FortiGate RADIUS Admin and knows what values it sends?

Has anyone worked with FortiGate RADIUS Admin and knows the values it sends?

I can't access the firewall right now, so I can't review the session logs on ClearPass. If I could, that would provide the answer.

Hi Airheads,

I have a customer who wants to use RADIUS with their FortiGate Firewalls for user administration through ClearPass. I need to tighten the ClearPass service match conditions. This will help us distinguish between VPN and Wireless sessions if needed later on. However, I'm unsure about the NAS-Port-Type values that Forti devices send in their RADIUS admin packets.

I think they use NAS-Port 6 (Administrative User), but I'm not certain. In ClearPass, this would be expressed as: RADIUS:IETF Service-Type EQUALS Administrative-User(6).

Forti's documentation mentions only 802.11 and VPN attributes; it doesn't cover RADIUS Admin.

Has anyone done FortiGate RADIUS Admin and knows what values it sends?

Has anyone worked with FortiGate RADIUS Admin and knows the values it sends?

I can't access the firewall right now, so I can't review the session logs on ClearPass. If I could, that would provide the answer.