Skip to main content
Thonno
Thonno
Explorer II
May 25, 2025
Question

FortiNAC as RADIUS Server for WiFi Users with Certificates Deployed by Intune and Guest Self-Registr

  • May 25, 2025
  • 1 reply
  • 1386 views

Hello,

I'm in the process of configuring FortiNAC as a RADIUS server to authenticate WiFi users using certificates deployed through Microsoft Intune. My setup includes FortiGate and FortiAP devices. I aim to establish three distinct SSIDs:

  1. SSID 1: For company-managed laptop.

  2. SSID 2: For company-managed tablet.

  3. SSID 3 (Guest): For visitors requiring temporary network access.

Requirements:

  • SSIDs 1 & 2: Devices receive certificates from the same internal Certificate Authority (CA) via Intune. I need to ensure that:

    • Laptops can only authenticate to SSID 1.

    • Tablets can only authenticate to SSID 2.

    • Devices cannot cross-authenticate between SSIDs.

  • SSID 3 (Guest):

    • Unregistered users connecting to this open SSID should be redirected to FortiNAC's captive portal.

    • Users should be able to self-register through the portal.

    • Upon successful registration, users should automatically gain access to the guest network.

Questions:

  1. Is it feasible to configure FortiNAC to enforce SSID-specific access based on certificate attributes or device characteristics, given that all certificates originate from the same CA?

  2. How can I set up FortiNAC's captive portal to facilitate guest self-registration and subsequent automatic connection to the guest network?

  3. Are there best practices or detailed guides available for implementing this configuration?

Any insights, guidance, or references to documentation would be greatly appreciated.

Thank you in advance!

    1 reply

    ebilcari
    Staff
    ebilcari
    Staff
    May 27, 2025

    For guest self-registration you can refer to this article that tries to covers the configuration steps: An example FortiGate/FAP
    Regarding the first request, I would suggest to use a way to differentiate between these devices when they are firstly registered like a device type or role for example and than later use it in a User/Host profile conditions to differentiate between them. In the SSID configuration by using logical networks, you can than isolate the hosts or deny access when they don't match with the correct SSID.

    Emirjon
      Thonno
      ThonnoAuthor
      Explorer II
      May 28, 2025

      Hi Emirjon,

      Thank you for your response and the article link — very helpful!

      My intention is to integrate Microsoft Intune with FortiNAC and use WPA2-Enterprise on the FortiGate SSIDs, with FortiNAC acting as the RADIUS server for certificate-based authentication.
      Is this setup feasible? From what I understand, it should be.

      However, I’d prefer not to use roles with dynamic VLAN assignments at this time, as I plan to extend FortiNAC integration to the wired network as well. The wired network uses VLAN IDs that differ from those on the WiFi side, and I want to avoid potential complications in managing consistent access policies across both environments.

      Is there an alternative approach you'd recommend for achieving SSID-specific access control without relying on dynamic VLANs?

      Thanks again for your time and support.

      ebilcari
      Staff
      ebilcari
      Staff
      May 28, 2025

      As long as the PKI is handled by a 3rd party system, FNAC is able to authenticate hosts based on their certificates (EAP-TLS).

      FNAC prefers to isolate hosts instead of denying access. The default action in SSID can not be set to Deny. You can leverage the flexibility of the logical networks to simplify the configuration of network access policies and also use it for denying authentications:

       

      SSID logical networks.PNG

       

      Technically this should send authentication rejects for hosts that are matching with the logical network (GuestLN in this example) and should work without configuring dynamic VLANs at the SSID level.

      Emirjon
      Terms & ConditionsAccessibility statement