Skip to main content
HS08
HS08
Visitor III
May 22, 2026
Question

Wireless dot1.x

  • May 22, 2026
  • 2 replies
  • 74 views

I have requirement to use one SSID for employee and guest, the employee will use EAP-TLS for authenticate and if authentication failure because the client no have certificate then the endpoint will access to guest network.

This was done for wired connection (employee and guest) but on wireless connection only employee was work, if the wireless client not have certificate then the client is asked to enter the username and password. Anyone know how to achieve this?

 

2 replies

AEK
SuperUser
AEK
SuperUser
May 22, 2026

I know such feature in other equipment where you can configure what we call ”Authentication Policy”, where the equipment sends user’s the authentication query to one auth server, and in case it fails it sends the query to a second auth server.

In FortiNAC I personally don’t know such feature. But “probably” if you have FortiAuthenticator as back-end RADIUS server then you may be able to do that, since with FAC you can configure auth policies that are very customizable.

AEK
ebilcari
Staff
ebilcari
Staff
May 25, 2026

This is not possible in a WiFi network due to media security limitations. If the SSID is configured for dot1x, it will not fall back to MAC authentication as it does in wired scenarios. The SSID will only allow hosts that perform dot1x authentication. A separate SSID is required for guest access or onboarding.

Emirjon
    AEK
    SuperUser
    AEK
    SuperUser
    May 25, 2026

    Hi Emirjon

    If I understand well HS08’s request, the guest as well attempts a .1x connection, but with user-pass instead of client certificate.

    I mean this scenario:

    1. Employee attempts .1x with certificate
    2. FNAC forwards to FAC
    3. FAC matches the 1rst policy (cert auth for AD users) and returns access-accept

    And for Guest:

    1. Guest attempts .1x connection with user & password
    2. FNAC just forwards to FAC
    3. FAC matches the 2nd policy (user-pass auth for local users) and returns access-accept

    Would this be possible?

    AEK
      ebilcari
      Staff
      ebilcari
      Staff
      May 25, 2026

      This is not a limitation specific to FNAC. A dedicated onboarding SSID is still required for guests to create their accounts, even if they can later authenticate using EAP‑PEAP or TTLS. This requirement changes only if guest accounts are pre created and shared with users before they attempt to connect to the network. A similar approach like Eduroam, https://docs.fortinet.com/document/fortinac-f/7.6.0/eduroam/723783/eduroam-feature-testing

      Emirjon
        Terms & ConditionsAccessibility statement