FortiNAC - WiFi 802.

1X based network using

FortiNAC Local RADIUS Server
Version 8.x
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://fortiguard.com/

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

November 30, 2020

FortiNAC 8.x WiFi 802.1X based network using FortiNAC Local RADIUS Server
49-800-674885-20201130
 TABLE OF CONTENTS

Overview 4
Procedure - FortiGate 5
FortiGate – RADIUS configuration 5
FortiGate – SSID 6
FortiGate – Interfaces 7
Procedure - FortiNAC 9
FortiNAC – Enable the local RADIUS 9
FortiNAC – Certificate 9
FortiNAC – SSID configuration for using local RADIUS 10

FortiNAC 8.x WiFi 802.1X based network using FortiNAC Local RADIUS Server 3
Fortinet Technologies Inc.
Overview

Overview

This document provides guidance on creating a WiFi 802.1X based network using FortiNAC Local RADIUS
server. The procedure will be divided into two sections. The first section will address the FortiGate related
instructions while the second section will address the FortiNAC related instructions.

FortiNAC 8.x WiFi 802.1X based network using FortiNAC Local RADIUS Server 4
Fortinet Technologies Inc.
Procedure - FortiGate

Procedure - FortiGate

1. FortiGate – RADIUS configuration on page 5

2. FortiGate – SSID on page 6
3. FortiGate – Interfaces on page 7

FortiGate – RADIUS configuration

1. Navigate to User & Authentication > RADIUS Servers. Select Create New
2. Enter the following inputs for each field:
Name: FortiNAC
NAS IP: 192.168.200.1
Primary Server > IP/Name: 192.168.200.7
Primary Server> Secret: The same Secret set on FortiNAC

3. In the FortiGate CLI, enable support for RADIUS Change of Authorization

fgt # config user radius

FortiNAC 8.x WiFi 802.1X based network using FortiNAC Local RADIUS Server 5
Fortinet Technologies Inc.
Procedure - FortiGate

fgt (radius) # edit FortiNAC

set server "192.168.200.7"
set nas-ip 192.168.200.1
set radius-coa enable
set source-ip "192.168.200.1"

FortiGate – SSID

1. Navigate to WiFi & Switch Controller > SSID. Create an SSID.

Note: No need for IP/Netmask on the interface itself as RADIUS assigned VLAN is used

FortiNAC 8.x WiFi 802.1X based network using FortiNAC Local RADIUS Server 6
Fortinet Technologies Inc.
Procedure - FortiGate

2. Under Wifi Settings, enable Security mode using RADIUS Server for Authentication with FortiNAC as the
Radius Server.

FortiGate – Interfaces

1. Navigate to Network > Interfaces.

2. Click Create New Interface.
3. Create VLAN based interfaces with the Base Interface as the SSID interface

a. FortiNAC registration/isolation VLAN (in the example, it is VLAN 197)

FortiNAC 8.x WiFi 802.1X based network using FortiNAC Local RADIUS Server 7
Fortinet Technologies Inc.
Procedure - FortiGate

i. Note: Set the DHCP to be a relay pointing to FortiNAC ETH1 for the Registration/Isolation VLAN

b. Client VLAN like for instance staff and students as needed (in the example, it is VLAN 242)

FortiNAC 8.x WiFi 802.1X based network using FortiNAC Local RADIUS Server 8
Fortinet Technologies Inc.
Procedure - FortiNAC

Procedure - FortiNAC

1. FortiNAC – Enable the local RADIUS on page 9

2. FortiNAC – Certificate on page 9
3. FortiNAC – SSID configuration for using local RADIUS on page 10

FortiNAC – Enable the local RADIUS

1. Navigate to System > Settings.

2. Expand the Authentication folder and select Local RADIUS Server.
3. Enable the Windbind to join a domain for MSCHAPv2
Note: Have the proxy RADIUS use port 1645 for authentication

FortiNAC – Certificate

Apply the needed certificate used by Local RADIUS Server.

FortiNAC 8.x WiFi 802.1X based network using FortiNAC Local RADIUS Server 9
Fortinet Technologies Inc.
Procedure - FortiNAC

1. Navigate to System > Setting > Security > Certificate Management

2. Upload the following certificates:
a. Local RADIUS Server (EAP). This is the certificate generated by Root CA to FNAC
b. RADIUS Endpoint Trust. This is the Root CA certificate that FNAC will use to match the incoming
request certificate. Aka the incoming certificate must be issued by the Root CA. Use the Upload
Certificate to “enable” and use the Root CA here. You can upload multiple certificates.

FortiNAC – SSID configuration for using local RADIUS

Set the Default RADIUS Attribute Group to use RFC_Vlan.

This will allow FortiNAC to “read” and use the VLAN id from the “Access Value” field.
Also note the option for using Automated Registration as part of the 802.1X config.
1. Navigate to Network Devices > Topology
2. Expand the container where the wireless device is located.
3. Select a device.
4. In the right pane, select the SSID tab.
5. Right-click on the SSID and select SSID Configuration.
6. Set the Default RADIUS Attribute Group to use RFC_Vlan.
This will allow FortiNAC to “read” and use the VLAN id from the “Access Value” field.
Note the option for using Automated Registration as part of the 802.1X config.

FortiNAC 8.x WiFi 802.1X based network using FortiNAC Local RADIUS Server 10
Fortinet Technologies Inc.
Procedure - FortiNAC

FortiNAC 8.x WiFi 802.1X based network using FortiNAC Local RADIUS Server 11
Fortinet Technologies Inc.
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.