New network plan, clients authentication

Question

Hello everybody, I should buy and configure Fortigate 60F with Fortiswitch PoE and APs. I don't have any server in the new office because the users (20 approximately) have all the domain in cloud with Azure Active Directory. So they log in to their laptops trough windows AAD authentication.  My question is related to the clients authentication, notebooks on the internal network and smartphones and everything else on a guest network.  Is there a possibility to set up a secure authentication with the network that allows the wired or wireless connection from the employee's laptop only without a radius server? Or can I use the firewall as radius server with the allowed users listed? Is there a possibility to use the azure domain user to present the laptop and connect it with the correct policies? How can I split the two interfaces employers and guests? What are you suggestions for the plan?   Thanks

Dan_Eng52 · Answer

Hi Jonathan1993,

There are a few options in regards to authentication on the network however, since you already have Azure AD and doesn't sound like you have any on-prem radius servers or FortiAuthenticator I would be looking at authentication with Azure AD as a SAML IdP.

Outbound firewall authentication with Azure AD as a SAML IdP | FortiGate / FortiOS 7.4.0 | Fortinet Document Library

As for the interfaces and splitting employee and guest networks, I would have separate firewall interfaces with VLAN's on switch. If you had spare interfaces, I would create aggregate interfaces for increased bandwidth.

Alternatively, if you had other plans and didn't want to use that many interfaces you could also create a sub-interface on the Fortigate and setup a trunk on the switch however, the first option would be my preferred.

Hope that makes sense.

Regards,

Dan.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded