New Member

Question

WiFi Authentication using WPA2-Enterprise (RADIUS)

Forum|Forum|11 years ago
November 18, 2014
7 replies
24077 views

I have created an SSID in my Fortigate. I want users to connect to SSID using AD credentials. hence I have configured RADIUS on my Domain Controller and configured SSID to use WPA-Enterprise via RADIUS.

I check the RADIUS Server from CLI and it is working fine

diagnose test authserv radius <Server> mschap2 <user><password>

The diag test command is successful.

However when i try to connect to SSID ..it prompts for username / password..but i am unable to connect to SSID.

Below is the SSID setting.

. I do not get any logs in diagnose debug application fnbamd -1

However if i create a Local User Group and Specify RADIUS Server in Localgroup. Then authenticate SSID with localgroup.

It works after giving 3-4 warnings.

Use monitor shows the User Authenticated as "WSSO"

first row is from a Laptop which is not a Domain Member. Second row is from a laptop which is a domain member.

I want to know what is the correct method of doing WPA-Enterprise Auth. I do not want to use User-Based Policies.

Authentication should happen only at SSID connect.

Capture1.JPG

5.2

Jeff_FTNT

Staff

WPA2-Enterprise+Radius : Need Radius server support EAP , use CLI:dia debug application wpad -1 , it will have debug message.

WPA2-Enterprise+User group (Radius Server): No need Radius server support EAP, FGT use Proxy-EAP to support it, use CLI:dia debug application fn -1 , it will have debug.

Hope is helpfull.

DipenAuthor

New Member

What is this WSSO Stuff ?

As told earlier SSID--> Radius dosent work however SSID-->Local Group-->Radius works

If my Client is already joined to domain will it ask for username / password ?

I checked from a system which was not in Domain .It asked for a password and User Monitor shows "username"

I checked from a system which was in Domain. It didnt ask for a password and User Monitor shows "Domain\username"

Capture 5.JPG

Jeff_FTNT

Staff

If your policy for "SSID--> outbound" have same user group with SSID setting.

If you pass SSID authentication , It will not ask you input usr/password again, this is CALL WSSO.

DipenAuthor

New Member

Why are we getting attached Error.

Abraj-WiFi.jpg

Jeff_FTNT

Staff

Import CA certificate which signed Radius server certificate to your PC. Thanks.

DipenAuthor

New Member

Whats difference between WSSO and RSSO ?

Jeff_FTNT

Staff

WSSO, if pass SSID authentication, no need to do same authentication on policy

RSSO, FGT have RSSO agent and receive Radius Accounting which include attribute like Framed-IP-address and Class attributes, etc , it permit host which it have IP match Framed-IP-address pass authentication policy. Hope it is helpful, thanks.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded