WiFi with WSSO using FortiAuthenticator RADIUS and Attributes

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

This is an example of wireless single-sign-on (WSSO) with a FortiGate and FortiAuthenticator. The WiFi users are teachers and students at a school. Each user belongs to a user group, either TeacherGroup or StudentGroup. A FortiAuthenticator performs user authentication and passes the user group name to the FortiGate so that the appropriate security policy is applied. The student security policy applies a more restrictive web filter.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Register the FortiGate as a RADIUS client on the FortiAuthenticator

On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients and create an account. Enter and remember the Secret (password).

Enable all of the EAP types.

 

2. Create user accounts on the FortiAuthenticator

Go to Authentication > User Management > Local Users and create a user account.

User Role settings are available after you click OK.

 fac-user

3. Create user groups on the FortiAuthenticator

Go to Authentication > User Management > User Groups.

Create and populate TeacherGroup and StudentGroup.

 fac-group

Re-edit each group. Add the Fortinet-Group-Name RADIUS attribute which specifies the user group name to be sent to the FortiGate.

Vendor: Fortinet
Attribute ID: Fortinet-Group-Name
Value: TeacherGroup or StudentGroup, as appropriate.

 fac-group-radius-attr

4. Configure FortiGate to use the RADIUS server

On the FortiGate, go to User & Device > Authentication > RADIUS Servers. Select Create New.
Enter the FortiAuthenticator IP address and the server secret that you entered on the FortiAuthenticator.
Optionally, you can click Test Connectivity. Enter a RADIUS user’s ID and password. The result should be “Successful”.
 radius

5. Configure user groups on the FortiGate

Go to User & Device > User > User Groups. Create TeacherGroup and StudentGroup. Don’t add any members.  wsso-groups

6. Create security policies

Go to Policy & Objects > Policy > IPv4. Create two WiFi-to-Internet policies. One has StudentGroup as the Source User(s), the other specifies TeacherGroup. The student policy selects a more restrictive Web Filter.  policy-student

7. Create an SSID with RADIUS authentication

Go to WiFi Controller > WiFi Network > SSID. Create an SSID and set up DHCP for clients.  ssid-basic
Configure WPA2-Enterprise authentication that uses the FortiAuthenticator as RADIUS server.  ssid-security

8. Add the FortiAP

Go to System > Network > Interface. Dedicate an unused network interface to FortiAP.

 fap-interface

Connect the FortiAP to the dedicated interface. Go to WiFi Controller > Managed Devices > Managed FortiAPs. Wait the the FortiAP to be listed (refresh as needed). Select and Authorize the FortiAP.

fap-discover
Go to WiFi Controller > WiFi Network > FortiAP Profiles and open the profile for your FortiAP model. Add your SSID to both radios.  fap-profile

Results

Connect to the WiFi network, authenticate, and browse the Internet. Try this with both student and teacher accounts.

Go to User & Device > Monitor > Firewall. You can verify the User Group and that the WSSO authentication method was used.  result-student-mon
Go to Policy & Objects > Monitor > Policy Monitor. You can verify that the appropriate security policy was applied.  policy-mon-student

 

Fortinet Technical Documentation

Fortinet Technical Documentation

Contact Fortinet Technical Documentation at techdoc@fortinet.com.
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
  • Was this helpful?
  • Yes   No