Skip to main content
Thonno
Thonno
Explorer II
July 21, 2025
Solved

FortiNAC and WPA2 Enterprise

  • July 21, 2025
  • 1 reply
  • 973 views

Hello everyone,

I'm currently setting up a lab environment to authenticate mobile users (smartphones, tablets) to a WiFi network using certificate-based authentication via 802.1X.

I'm following this Fortinet guide (but i'm using a Bridge SSID and not a Tunnel SSID):
FortiNAC WiFi 802.1X based network using FortiNAC Local RADIUS Server

Infrastructure:

  • FortiGate

  • FortiAP

  • FortiNAC-F version 7.2

FortiGate Configuration:

SSID:

1.png

  • RADIUS Server settings:

    • NAS IP: set to FortiGate IP

    • radius-coa enabled via CLI

 

  • VLAN Interface ID 69 created and enabled with:

    • RADIUS Accounting

    • SNMP

    • PING

    • Security Fabric Connection

FortiNAC Configuration:

  • Local RADIUS: Configured and enabled all TLS types

  • Winbind Domain: Configured (used for another SSID with LDAP + Persistent Agent)

  • Network > SSID:

    • SSID bound to Default RADIUS Server

    • Custom Settings:

      • RADIUS Mode: Local

      • RADIUS Attribute Group: RFC_VLAN

      • Enforced Wireless Role: default, registration, and logical networks

2.png

  • VLAN Port Group (ID 69):

    • Authorized Access Points

    • Forced Authentication

    • Forced Registration

    • Role-Based Access

FortiGate Virtualized Devices:

3.png

 

Certificate Setup:

  • Windows Standalone CA created with SHA256

  • Imported CA cert into FortiNAC:

    • Trusted CA

    • RADIUS Endpoint Trust [radius]

  • Issued a cert from the CA for Local RADIUS Server (EAP) using SHA256

  • On the client device:

    • Imported the CA cert

    • Imported a .pfx cert for the device hostname

    • Also tested with a .pfx cert for user username@workgroup.local

Client Test:

  • Testing from a Windows laptop

  • Configured WiFi profile as:

    • WPA2 Enterprise

    • Smart card or other certificate

    • CA selected manually

  • When connecting, Windows prompts for a certificate, but none are accepted (both user and device certs fail)

  • No logs appear in FortiNAC RADIUS (neither in the Service Log nor Server Log)

The laptop used for testing is not joined to any Active Directory domain. I'm testing it as if it were a mobile device (e.g., smartphone or tablet).

 

Other configurations using the same FortiNAC RADIUS, such as for Persistent Agent or Self-Registration groups, are working correctly without any issues.



Any help or experience on this would be greatly appreciated.
Thanks in advance!

Best regards,

    Best answer by Thonno

    I fixed it. The issue was that the FortiGate had set radius port 0 configured, and it was probably defaulting to port 1812, which on FortiNAC is set as a proxy by default.

    I configured set radius port 1645 on the FortiGate side, and now it works with the certificate issued for the device name.

    1 reply

    Thonno
    ThonnoAuthorAnswer
    Explorer II
    July 21, 2025

    I fixed it. The issue was that the FortiGate had set radius port 0 configured, and it was probably defaulting to port 1812, which on FortiNAC is set as a proxy by default.

    I configured set radius port 1645 on the FortiGate side, and now it works with the certificate issued for the device name.

      Terms & ConditionsAccessibility statement