So I'm not sure if anyone else can give me a hand. I've started implementing MFA/radius auth across all my switches.

The 2920's and others it works fine.

I get to the 5406 and it's not. I'm half wondering if the source ip isn't what I think it is.

As the 5406 is a core switch, I don't know where the traffic is coming from.. (I would think that it would come from the IP I manage it from) but the commands primary-vlan and others mentioned in older docs don't exist anymore. I'm running KB.16.03.0006

radius-server host x.x.x.x key "******"

radius-server timeout 15

radius-server retransmit 2

aaa authentication login privilege-mode

aaa authentication ssh enable radius local

aaa authentication web enable radius loca

​

At the moment I'm using this, the 5406 has a dozen IP's it could use to do authentications, the radius server requires I specify the IP the radius auth requests are coming from.. (fortinet's fortiauthenticator)

Any suggestions?