Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dkempt
Staff
Staff

Created on ‎02-06-2015 11:33 AM

Radius Authentication for WiFi (WPA2 Enterprise) -- Windows 2008 with NPS

Description

This Document Assumes the Following :

  • FortiGate OS v5.x
  • Windows 2008 R2 Server with the following installed:
    • Network Policy Server (NPS) *
    • Active Directory
    • Active Directory Certificate Management

    * In Windows Server 2008 / 2008 R2, Network Policy Server (NPS) replaces Internet Authentication Service (IAS).

Configuring the RADIUS server on NPS

  • Browse to Network Policy and Access Server -> NPS(Local) -> Radius Clients and Servers -> RADIUS Clients
  • Right Click on RADIUS Client and select New
    Settings Tab
    Friendly Name :     Name the 'Network Policy and Access Server'
    Address       :     Enter IP of FortiGate
    Shared Secret :     Create a password for the radius server
    Leave all other settings as default

    Advanced Tab
    Leave all settings as default
  • Browse to Network Policy and Access Server -> NPS(Local) -> Policies -> Connection Request Policies
  • Right Click and select New
    |-Enter friendly name in the 'Policy name:' field, then select Next
    |-Under 'Specify Conditions' 
     |-Select Add
     |-Scroll down to Client IPv4 Address
     |-Select 'Add'
     |-Enter the IP address of the internal interface of the FortiGate and select OK
     |-Select Next
    |-Select Next
    |-Select Next
    |-Select Next
    |-Select Finish
    |-Move the newly created Connection Request Policy above the default 'Use Windows Authentication for all users' policy.
  • Browse to Network Policy and Access Server -> NPS(Local) -> Policies -> Network Policies
  • Right Click and select New
    |-Enter friendly name in the 'Policy name:' field, then select Next
    |-Under 'Specify Conditions'
     |-Select Add
     |-Select 'Windows Groups'
     |-Select Add
     |-Select 'Add Groups'
     |-Add you Windows Security Group you wish to allow access
     |-Select OK
    |-Select Next
    |-Select Next
    |-Under 'Configure Authentication Methods'
     |-Check 'Microsoft Encrypted Authentication version 2 (MS-CHAP-v2)'
     |-Select Add
      |-Select 'Microsoft: Protected EAP (PEAP)'
      |-Select OK
     |-Highlight 'Microsoft: Protected EAP(PEAP)' 
     |-Select Edit
      |-Under 'Edit Protected EAP Properties'
      |-Make sure the Certificate issued is not the CA certificate. 
     |-Select Next
    |-Select Next
    |-Select Next
    |-Select Finish
    |-Move the newly created Network Policy to the top of the list

Configure the FortiGate to use the RADIUS Server

  • Log into the FortiGate's GUI, and browse to 'User & Device -> Authentication -> RADIUS Server'
  • Select Create New
  • Under 'New Radius Server'
    Name : Enter a friendly name
    Primary Server IP/Name : IP address or FQDN of RADIUS server
    Primary Server Secret :  The shared secret created on the Windows Server in the Radius Client Settings
    Leave the rest as default.
  • Select OK
  • Browse to 'WiFi Controller -> WiFi Network -> SSID'
  • Select your SSID you wish to use RADIUS to authenticate or Create New
  • Under 'Edit Interface'
    Security Mode :  WPA/WPA2 Enterprise
    Authentication : RADIUS Server
    Select the RADIUS server created in the drop down menu
    Check 'Listen for RADIUS Accounting Messages'

13708
0 Kudos
Contributors

Contact Us