Skip to main content
smacco
Staff
smacco
Staff
March 30, 2026

Technical Guide: Integrate a third-party access point with FortiAuthenticator/FortiGate using RSSO

  • March 30, 2026
  • 0 replies
  • 368 views
Description This article describes how to integrate a Third-Party Access Point with FortiAuthenticator using RSSO (RADIUS Single Sign-On) and WPA2-Enterprise.
Scope

Active Directory Server (LDAP Server) - Windows Server 2019,

FortiAuthenticator (RADIUS Server) - v8.0.0,

FortiGate (RADIUS Client) - v7.6.6,

Netgear Access Point (RADIUS Client).
Solution

In this scenario, a user already authenticated with WPA2 Enterprise through FortiAuthenticator will be able to be matched by the FortiGate in the firewall rules as part of User Group 'RESTRICTED' and get Internet access without supplying any other credentials.

 

Table of Contents:

 

Section 1 - Radius configuration on third-party AP.

 

On the Access Point:

  • Configure the IP address of the FortiAuthenticator as the RADIUS server.

  • Configure the same shared secret that will be defined on FortiAuthenticator.

  • Enable RADIUS Accounting.

 

The AP will then send authentication and accounting requests directly to FortiAuthenticator.

 

ap config radius.png

 

Section 2 - Configure RADIUS clients.

 

On FortiAuthenticator, navigate to Authentication -> RADIUS Service -> Clients and configure:

  • Add the FortiGate as a RADIUS client (in the example, 'fgt').

  • Add the third-party AP as a RADIUS client (in the example, 'ap-2').

  • Ensure:

    • The shared secret matches exactly on both sides.

    • The source IP address in RADIUS requests matches the configured client IP.

If the shared secret or source IP does not match, authentication will fail.

 

fac radius clients.png

 

Section 3 - Configure LDAP (Active Directory) Remote Authentication.

 

On FortiAuthenticator, Navigate to: Authentication -> Remote Auth. Servers -> LDAP.

Then select Create New.

 

Configure the following fields:

 

  • Name: <LDAP/AD server name>.
  • Primary server name/IP: <IP address or FQDN of the AD server>.
  • Base Distinguished Name: Can be retrieved from the AD server under Active Directory Users and Computers -> Right-click on Domain Name -> Properties -> Attribute Editor -> distinguishedName.
  • Bind Type: Regular.
  • Bind Username: Service account used to query LDAP (Format example: user@domain.local).
  • Bind Password: Password of the service account.

 

Scroll down to Windows Active Directory Authentication and:

 

  • Enable the toggle.
  • Kerberos Realm Name: <domain.local>.
  • Domain NETBIOS Name: <e.g., HOMELAB>.
  • FortiAuthenticator NETBIOS Name: This will be the computer object name when FortiAuthenticator joins the domain.
  • Administrator Username: <Domain Administrator username>.
  • Administrator password: <Domain Administrator password>.

 

ldap configuration.png

 

Section 4 - Configure RADIUS policy.

 

Create a RADIUS policy on FortiAuthenticator that:

 

  • Matches the appropriate user/user group.

  • Allows authentication requests coming from the Access Point.

  • Uses the configured LDAP server as the backend authentication source.

 

Authentication/accounting flow explanation:

 

  1. The user sends EAP-PEAP credentials to the Access Point (AP).

  2. The AP forwards the credentials to FortiAuthenticator (RADIUS).

  3. FortiAuthenticator proxies the credentials to the Active Directory server using MS-CHAPv2.

  4. If the user matches the configured policy and group, authentication succeeds.

  5. FortiAuthenticator sends RADIUS accounting information to FortiGate (Step 5 and later).

  6. FortiGate maps the user to the appropriate firewall group (e.g., 'RESTRICTED') based on the accounting information received.

 

Section 5 - Configure RADIUS accounting proxy policies.

 

A RADIUS Accounting Proxy rule must be configured on FortiAuthenticator to:

  • Intercept the accounting request.

  • Insert the Class attribute (which includes the AD group information).

  • Forward the modified accounting request to FortiGate.

Without this proxy rule, FortiGate would not be able to correctly map the authenticated user to the appropriate firewall group.

 

Select Authentication -> RADIUS Service -> Accounting Policies.

Configure the Policy as follows:

  

proxy sources.png

 

proxy destination.png

 

ruleset accounting.png

 

ruleset full.png

 

Configuration on FortiAuthenticator is now completed.

 

Section 6 - Configuration of RSSO on FortiGate.

 

When configuring RSSO on FortiGate, the following parameters must strictly match the configuration on FortiAuthenticator:

  • The interface specified in the RADIUS configuration must be the same interface whose IP address is defined as a RADIUS client on FortiAuthenticator.

  • The rsso-secret must exactly match the shared secret configured for the FortiGate RADIUS client on FortiAuthenticator.

 

config user radius     edit "fac"         set interface-select-method specify         set interface <interface>         set rsso enable         set rsso-radius-response enable         set rsso-validate-request-secret enable         set rsso-secret <secretconfiguredonfortiauthenticator>         set rsso-endpoint-attribute Class         set rsso-flush-ip-session enable     next end

 

Section 7 - Configuration of RSSO User Group on FortiGate.

 

On FortiGate, configure the user group as following:

 

FortiGate-40F (root) # show user group  config user group     edit "SSO_Guest_Users"     next     edit "RESTRICTED"         set group-type rsso         set sso-attribute-value "CN=HomeGroup,OU=IT,DC=homelab,DC=local"     next end

 

The Distinguished Name (DN) of the Active Directory group can be obtained from Active Directory Users and Computers (MMC) on the AD server by enabling Advanced Features, opening the group properties, and checking the Attribute Editor tab for the distinguishedName attribute.

 

Section 8 - Configuration of FortiGate Accounting.

 

The FortiGate must be able to receive and process the RADIUS accounting packets originally sent by the Access Point and proxied by the FortiAuthenticator.

To allow this behavior, the interface that communicates with FortiAuthenticator must have the radius-acct option enabled under the allowaccess parameter.

This ensures that FortiGate can 'intercept' (receive and process) incoming RADIUS accounting requests required for RSSO user mapping.

 

config system interface     edit <interface-facing-FAC>         set allowaccess ping https ssh radius-acct     next end

 

Section 9 - Configuration of FortiGate Firewall Policy (RSSO).

 

On FortiGate, configure the following firewall policy to match the RSSO Group that will be allowed to surf on Internet:

 

FortiGate-40F (3) # show config firewall policy     edit 3         set name "CLIENT-to-Internet"         set srcintf "VLAN-CLIENT"         set dstintf "UNDERLAY"         set action accept         set srcaddr "all"         set dstaddr "all"         set schedule "always"         set service "ALL"         set logtraffic all         set nat enable         set groups "RESTRICTED"     next end

 

Section 10 - Troubleshooting FortiGate/FortiAuthenticator.

 

The following debug commands are used to see if the user will match the correct RSSO group on FortiGate:

 

FortiGate-40F (root) # diagnose debug application radiusd -1 FortiGate-40F (root) # diagnose debug application fnbamd -1 FortiGate-40F (root) # diagnose debug enable   Received radius accounting event vd 0:root Remove auth logon for IP 172.31.60.2 for user smacco DB 0 remove by IP [ep='smacco' pg='CN=HomeGroup,OU=IT,DC=homelab,DC=local' ip='172.31.60.2/32'] success Send accounting response Received radius accounting event vd 0:root Add/Update auth logon for IP 172.31.60.2 for user smacco DB 0 insert [ep='smacco' pg='CN=HomeGroup,OU=IT,DC=homelab,DC=local' ip='172.31.60.2/32'] success Send accounting response  FortiGate-40F (root) # diagnose firewall auth list   172.31.60.2, smacco         type: rsso, id: 0, duration: 10, idled: 0         flag(10): radius         server: root         packets: in 198 out 285, bytes: in 77204 out 39622         group_id: 1         group_name: RESTRICTED  ----- 1 listed, 0 filtered ------

 

As shown, the FortiGate receives the incoming RADIUS accounting request (originally generated by the Access Point and proxied by FortiAuthenticator) on the interface where the radius-acct option is enabled.

The pg field represents the profile group assigned by FortiGate.

If the Class attribute in the accounting packet contains the correct Distinguished Name (DN) of the Active Directory group, FortiGate successfully maps the user to the corresponding firewall user group.

If the Class attribute is missing or does not contain a valid DN, FortiGate will display the error 'invalid profile name'.

This indicates that the RSSO group mapping failed due to missing or incorrect group information in the accounting packet.

 

On FortiAuthenticator, related debug logs can be viewed by accessing the URL https://<FortiAuthenticator>/debug.

Under RADIUS -> Accounting, check if the RADIUS Accounting requests are sent to the FortiGate are visible in this section.

 

debug.png
    Terms & ConditionsAccessibility statement