WiFi with WSSO using FortiAuthenticator RADIUS and Attributes


This is an example of wireless single-sign-on (WSSO) with a FortiGate and FortiAuthenticator. The WiFi users are teachers and students at a school. Each user belongs to a user group, either TeacherGroup or StudentGroup. A FortiAuthenticator performs user authentication and passes the user group name to the FortiGate so that the appropriate security policy is applied. The student security policy applies a more restrictive web filter.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Register the FortiGate as a RADIUS client on the FortiAuthenticator

On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients and create an account. Enter and remember the Secret (password).

Enable all of the EAP types.


2. Create user accounts on the FortiAuthenticator

Go to Authentication > User Management > Local Users and create a user account.

User Role settings are available after you click OK.


3. Create user groups on the FortiAuthenticator

Go to Authentication > User Management > User Groups.

Create and populate TeacherGroup and StudentGroup.


Re-edit each group. Add the Fortinet-Group-Name RADIUS attribute which specifies the user group name to be sent to the FortiGate.

Vendor: Fortinet
Attribute ID: Fortinet-Group-Name
Value: TeacherGroup or StudentGroup, as appropriate.


4. Configure FortiGate to use the RADIUS server

On the FortiGate, go to User & Device > Authentication > RADIUS Servers. Select Create New.
Enter the FortiAuthenticator IP address and the server secret that you entered on the FortiAuthenticator.
Optionally, you can click Test Connectivity. Enter a RADIUS user’s ID and password. The result should be “Successful”.

5. Configure user groups on the FortiGate

Go to User & Device > User > User Groups. Create TeacherGroup and StudentGroup. Don’t add any members.  wsso-groups

6. Create security policies

Go to Policy & Objects > Policy > IPv4. Create two WiFi-to-Internet policies. One has StudentGroup as the Source User(s), the other specifies TeacherGroup. The student policy selects a more restrictive Web Filter.  policy-student

7. Create an SSID with RADIUS authentication

Go to WiFi Controller > WiFi Network > SSID. Create an SSID and set up DHCP for clients.  ssid-basic
Configure WPA2-Enterprise authentication that uses the FortiAuthenticator as RADIUS server.  ssid-security

8. Add the FortiAP

Go to System > Network > Interface. Dedicate an unused network interface to FortiAP.


Connect the FortiAP to the dedicated interface. Go to WiFi Controller > Managed Devices > Managed FortiAPs. Wait the the FortiAP to be listed (refresh as needed). Select and Authorize the FortiAP.

Go to WiFi Controller > WiFi Network > FortiAP Profiles and open the profile for your FortiAP model. Add your SSID to both radios.  fap-profile


Connect to the WiFi network, authenticate, and browse the Internet. Try this with both student and teacher accounts.

Go to User & Device > Monitor > Firewall. You can verify the User Group and that the WSSO authentication method was used.  result-student-mon
Go to Policy & Objects > Monitor > Policy Monitor. You can verify that the appropriate security policy was applied.  policy-mon-student


Jonathan Coles

Jonathan Coles

Technical Writer at Fortinet
Jonathan Coles is part of the FortiOS Technical Documentation team in Ottawa. He has a B.A. in English from the University of Waterloo and an Electronics Technologist diploma from Conestoga College. Long ago at another company he convinced a documentation manager that he could write. After writing about telephone PBXs, text search software, cell tower planning software, and some less memorable things, he joined Fortinet around the time that FortiOS 3.0 was released.
Jonathan Coles

Latest posts by Jonathan Coles (see all)

  • Was this helpful?
  • Yes   No