Radius Authentication for WiFi (WPA2 Enterprise) -- Windows 2008 with NPS

This Document Assumes the Following :

• FortiGate OS v5.x
• Windows 2008 R2 Server with the following installed:
  
  • Network Policy Server (NPS) *
    
  • Active Directory
    
  • Active Directory Certificate Management
    
    
  * In Windows Server 2008 / 2008 R2, Network Policy Server (NPS) replaces Internet Authentication Service (IAS).
• 
  

Configuring the RADIUS server on NPS

• Browse to Network Policy and Access Server -> NPS(Local) -> Radius Clients and Servers -> RADIUS Clients
• Right Click on RADIUS Client and select New

    Settings Tab     Friendly Name :     Name the 'Network Policy and Access Server'     Address       :     Enter IP of FortiGate     Shared Secret :     Create a password for the radius server     Leave all other settings as default 

    Advanced Tab     Leave all settings as default 

• Browse to Network Policy and Access Server -> NPS(Local) -> Policies -> Connection Request Policies
• Right Click and select New

    |-Enter friendly name in the 'Policy name:' field, then select Next     |-Under 'Specify Conditions'       |-Select Add      |-Scroll down to Client IPv4 Address      |-Select 'Add'      |-Enter the IP address of the internal interface of the FortiGate and select OK      |-Select Next     |-Select Next     |-Select Next     |-Select Next     |-Select Finish     |-Move the newly created Connection Request Policy above the default 'Use Windows Authentication for all users' policy. 

• Browse to Network Policy and Access Server -> NPS(Local) -> Policies -> Network Policies
• Right Click and select New

    |-Enter friendly name in the 'Policy name:' field, then select Next     |-Under 'Specify Conditions'      |-Select Add      |-Select 'Windows Groups'      |-Select Add      |-Select 'Add Groups'      |-Add you Windows Security Group you wish to allow access      |-Select OK     |-Select Next     |-Select Next     |-Under 'Configure Authentication Methods'      |-Check 'Microsoft Encrypted Authentication version 2 (MS-CHAP-v2)'      |-Select Add       |-Select 'Microsoft: Protected EAP (PEAP)'       |-Select OK      |-Highlight 'Microsoft: Protected EAP(PEAP)'       |-Select Edit       |-Under 'Edit Protected EAP Properties'       |-Make sure the Certificate issued is not the CA certificate.       |-Select Next     |-Select Next     |-Select Next     |-Select Finish     |-Move the newly created Network Policy to the top of the list 

Configure the FortiGate to use the RADIUS Server

• Log into the FortiGate's GUI, and browse to 'User & Device -> Authentication -> RADIUS Server'
• Select Create New
• Under 'New Radius Server'

    Name : Enter a friendly name     Primary Server IP/Name : IP address or FQDN of RADIUS server     Primary Server Secret :  The shared secret created on the Windows Server in the Radius Client Settings     Leave the rest as default. 

• Select OK
• Browse to 'WiFi Controller -> WiFi Network -> SSID'
• Select your SSID you wish to use RADIUS to authenticate or Create New
• Under 'Edit Interface'

    Security Mode :  WPA/WPA2 Enterprise     Authentication : RADIUS Server     Select the RADIUS server created in the drop down menu     Check 'Listen for RADIUS Accounting Messages'