User management Page 59 FortiRecorder 2.4.2 Administration Guide
Check permission
attribute on
RADIUS server
Enable to let the RADIUS server override Type when it replies to
authentication queries, so that the RADIUS server can specify the
account’s permissions. Also configure Vendor ID and Subtype ID.
This option requires that:
• Your RADIUS server must support vendor-specific attributes (VSAs)
similar to RFC 2548. (If your server does not support them, it may
reply with an “attribute not supported” error.)
• Your RADIUS server’s dictionary must have:
• a vendor ID for Fortinet/FortiRecorder
• an attribute ID for user types (“access profile” names)
• Each FortiRecorder account on your RADIUS server must have a
user type attribute with a value that specifies which Type to apply.
e.g.
Fortinet-Access-Profile = Administrator
or
Fortinet-Access-Profile = Operator
Some RADIUS servers already include the Fortinet vendor ID and
subtype ID in their default dictionaries. In this case, no server-side
configuration is necessary. Otherwise, you must configure your server.
Methods varies by vendor — FreeRADIUS and Internet Authentication
Services for Microsoft Windows 2008 Server, for example, are
configured differently. For instructions, consult its documentation. For
an example VSA dictionary, see the article FortiGate RADIUS VSA
Dictionary.
This field appears only when Authentication is RADIUS or
RADIUS+Local.
Vendor ID Type the vendor ID for Fortinet, as it is defined on your RADIUS server,
in decimal. On many RADIUS servers, Fortinet’s default vendor ID is
12356.
The vendor ID is an ID for the Fortinet client types. It should be present
in Access-Request packets from FortiRecorder, telling your RADIUS
server which settings are supported by accounts on FortiRecorder. It
should also be present when the RADIUS server replies with an
Access-Accept packet.
The default value is 0.
Setting name Description
To Next Page
Loading...