Remote RADIUS Server
Network deployments with remote sites that are physically away from their head-quarter (or master data center -DC) can use remote RADIUS server in each of the remote sites for local authentication purposes.
In a typical scenario, a RADIUS server is usually co-located in the DC. Remote sites that required AAA services to authenticate their local clients use the RADIUS server in the DC. This in most cases introduces among other issues high latency between the remote site and its DC. Deploying a RADIUS server within a remote site alleviates this problem and allows remotes sites or branches to use their local AAA services (RADIUS) and not rely on the DC.
Remote RADIUS Server
Before you Begin
Points to note before you begin deploying a remote RADIUS server:
- Ensure that the Controller and site AP communication time is less than RADIUS timeout.
- Provision for at least one AP that can be configured as a relay AP.
- Only Fortinet 11ac APs (AP122, AP822, AP832, and OAP832) in L3-mode can be configured as a relay AP.
- In case of WAN survivability, no new 802.1x radius clients will be able to join, until relay AP rediscovers the controller.
How It Works
This feature provides local authentication (.1x, Captive Profile, and mac-filtering) services using a RADIUS server set up in the remote site. In addition to the RADIUS server, the remote site must also configure a Fortinet 11ac AP as a relay AP. The remote RADIUS profile can be created per ESS profile using the controller’s WebUI (Configuration > RADIUS) or CLI. A remote RADIUS profile works like a regular profile and can be used as primary and secondary RADIUS auth and accounting servers.
About Relay AP
- The relay AP primarily is used for communicating between the RADIUS server (in the remote site) and the controller in the head-quarters.
- An AP is set as a relay AP only when it is assigned in the RAIDUS profile. Once an AP is assigned as a relay AP It is recommended that you do not overload the relay AP with client WLAN services. This can result in communication issues between the relay AP and DC. For regular client WLAN services, we recommend the use of a different Fortinet access point. For a remote RAIDUS profile, you cannot configure a secondary relay AP. However, for resilience purposes, we recommend configuring an alternate (backup) RADIUS profile and assigning another AP as a relay AP to this backup RAIDUS profile. In the security profile, set this RADIUS profile as the secondary RADIUS server.
Remote RADIUS Server
The following figure illustrates a simple scenario with local RADIUS deployment.
To configure remote RADIUS via WebUI,
In the Configuration > RADIUS > RADIUS Configuration Table – ADD page, set Remote Radius Server to ON (see 1 in Figure 2).
Select the AP (Remote Radius Relay ApId) to be used as the relay AP (see 2 in Figure 2).
Remote RADIUS Server
Configuring Using CLI
# configure terminal
(config)# radius‐profile RemoteRadius
(config‐radius)# remote‐radius‐server on
(config‐radius)# radius‐relay‐apid XXX
XXX is the AP ID of the relay AP in the remote site.
# configure terminal
(config)# radius‐profile RemoteRadius
(config‐radius)# no remote‐radius‐server
# show radius‐profile <remoteRadius‐profile‐name>
EXAMPLE
# show radius‐profile site‐a
RADIUS Configuration Table
RADIUS Profile Name : site‐a
Description : Remote radius profile for Site‐A
RADIUS IP : 172.18.1.8 RADIUS Secret : *****
RADIUS Port : 1812
Remote RADIUS Server
Remote Radius Server : on
Remote Radius Relay ApId : 2
MAC Address Delimiter : hyphen Password Type : shared‐secret
Called‐Station‐ID Type : default
Owner : controller
COA : on
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!