Configure Windows NPS as a RADIUS server for the FortiGate firewall

Source: Internet
Author: User

The previous blog describes how to enable the explicit proxy feature of the FortiGate firewall, which is not described in the article How to configure Windows NPS as a RADIUS server to help authenticate proxy clients.


Today's blog describes how to configure the process of Windows NPS as a RADIUS service used by FortiGate:



The following begins the text:


    • Install Windows NPS: The installation process is very simple, and the server Manager->add roles and features-> Select the Windows Network Policy Service;

    • to start the management interface for network Policy server: windows+r-> input nps.msc after enter;

    • Configure the shared Secret Template: This step is nothing to say, the most important thing is to pay attention to the security of this shared Secret, it is recommended that you use NPS's own generate function to claim a higher security shared Secret

      • NPS automatically generates a shared secret length of 64 bits;

      • Contains uppercase and lowercase letters, numbers, special symbols, etc.;

      • Note: Some devices or programs may not support the 64-bit length of the shared Secret, but the fortigate is perfectly supported, and everyone can rest assured.

      • The new template here is mainly for the convenience of adding RADIUS clients behind us;


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/57/94/wKioL1Se01qxRnS5AANAts4jeJM354.jpg "title=" screen Shot 2014-12-27 at 23.35.57.png "alt=" Wkiol1se01qxrns5aanats4jejm354.jpg "/>



    • Configure the RADIUS clients Template:

      • NPS (Local)->template Management->radius clients-> Right-click to select New;

      • Add the friendly name you want, try to choose a name that matches your naming rules, and save time when you add RADIUS clients later.

      • IP address, there is no need to write the full address here. In order to facilitate the modification later, I generally fill in the first half of my subnet. For example, my intranet IP range is 10.200.200.x, my template on the above to write 10.200.200., in the future as a template to create a new client, as long as the IP of the last set of numbers can be;

      • Shared secret Here, we select the new shared secret template in our previous step directly in the dropdown box;

      • Click OK to complete this step;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/57/94/wKioL1Se1cfwdiPKAAPVDSE9c-E480.jpg "title=" screen Shot 2014-12-27 at 23.49.23.png "alt=" Wkiol1se1cfwdipkaapvdse9c-e480.jpg "/>



  • Configure Network Policy: This is the focus of the day, and friends who are not familiar with NPS may have to do a little homework.

    • NPS (Local)->policies->network policies-> Right-click to select New;

    • For this Policy to take a name, the author here is the name of Fgt_radius_policy, easy to understand;

    • Type of Network access server maintains unspecified;

    • Specify conditions Office Select Windows Groups;

    • Select the groups you want to allow access to the relevant policies;

    • Next choose access Granted, which gives you access to the groups you added in the previous step;

    • Remain unchanged on the authentication Methods page, and the default setting will allow Machap and MACHAP2;

    • The Configure constrains page remains unchanged;

    • On the Configure Settings page Note:

      • Settings->radius Attributes->vendor specific;

      • In the popup page, select Vendor (custome), select the bottom of the attributes, vendor-specific;

      • In the pop-up Attributes Information window, click Add;

      • In the pop-up vendor-specific Attribute Information window, select Enter Vendor code:12356, select Yes,it conforms, and click Configure Attributes;

      • Follow the table to add these attributes to completion: The red part needs to be changed to your own value.


Table 1: This form is from FortiGate official documents, reference Links:

http://kb.fortinet.com/kb/viewAttachment.do?attachID=Dictionary.Fortinet.FOS.v3.0%20MR7.txt&documentID= FD30830

http://kb.fortinet.com/kb/viewAttachment.do?attachID=Dictionary.Fortinet.FOS.v400.txt&documentID=FD30830

ATTRIBUTEfortinet-group-name 1 String
ATTRIBUTEfortinet-client-ip-address 2 InetAddr
ATTRIBUTEfortinet-vdom-name 3 String
ATTRIBUTEfortinet-client-ipv6-address 4 octets (Optional)
ATTRIBUTEfortinet-interface-name 5 String
ATTRIBUTEfortinet-access-profile 6 String



The following is, for your convenience, please refer to:


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/57/96/wKiom1Se3XjxJJVrAAKLnFKi_RE096.jpg "title=" screen Shot 2014-12-28 at 00.02.48.png "alt=" Wkiom1se3xjxjjvraaklnfki_re096.jpg "/>


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/57/94/wKioL1Se3kuSsTPPAAM3ZCuP55A516.jpg "title=" screen Shot 2014-12-28 at 00.03.01.png "alt=" Wkiol1se3kusstppaam3zcup55a516.jpg "/>



650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/57/96/wKiom1Se3byx-ZZ-AAPRQbDGqa8852.jpg "title=" screen Shot 2014-12-28 at 00.10.33.png "alt=" Wkiom1se3byx-zz-aaprqbdgqa8852.jpg "/>


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/57/94/wKioL1Se3n7ypKujAAEWuL_6zGM242.jpg "title=" screen Shot 2014-12-28 at 00.23.21.png "alt=" Wkiol1se3n7ypkujaaewul_6zgm242.jpg "/>


Done, the rest of the settings, back to the previous blog reference can be.

This article is from the "dream-dependent practice-Original only" blog, please be sure to keep this source http://yinzi7.blog.51cto.com/299508/1596738

Configure Windows NPS as a RADIUS server for the FortiGate firewall

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.