Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dkempt
Staff
Staff

Created on ‎02-06-2015 11:33 AM

Article Id 194910

Radius Authentication for WiFi (WPA2 Enterprise) -- Windows 2008 with NPS

Description

This Document Assumes the Following :

  • FortiGate OS v5.x
  • Windows 2008 R2 Server with the following installed:
    • Network Policy Server (NPS) *
    • Active Directory
    • Active Directory Certificate Management

    * In Windows Server 2008 / 2008 R2, Network Policy Server (NPS) replaces Internet Authentication Service (IAS).

Configuring the RADIUS server on NPS

  • Browse to Network Policy and Access Server -> NPS(Local) -> Radius Clients and Servers -> RADIUS Clients
  • Right Click on RADIUS Client and select New
    Settings Tab
    Friendly Name :     Name the 'Network Policy and Access Server'
    Address       :     Enter IP of FortiGate
    Shared Secret :     Create a password for the radius server
    Leave all other settings as default

    Advanced Tab
    Leave all settings as default
  • Browse to Network Policy and Access Server -> NPS(Local) -> Policies -> Connection Request Policies
  • Right Click and select New
    |-Enter friendly name in the 'Policy name:' field, then select Next
    |-Under 'Specify Conditions' 
     |-Select Add
     |-Scroll down to Client IPv4 Address
     |-Select 'Add'
     |-Enter the IP address of the internal interface of the FortiGate and select OK
     |-Select Next
    |-Select Next
    |-Select Next
    |-Select Next
    |-Select Finish
    |-Move the newly created Connection Request Policy above the default 'Use Windows Authentication for all users' policy.
  • Browse to Network Policy and Access Server -> NPS(Local) -> Policies -> Network Policies
  • Right Click and select New
    |-Enter friendly name in the 'Policy name:' field, then select Next
    |-Under 'Specify Conditions'
     |-Select Add
     |-Select 'Windows Groups'
     |-Select Add
     |-Select 'Add Groups'
     |-Add you Windows Security Group you wish to allow access
     |-Select OK
    |-Select Next
    |-Select Next
    |-Under 'Configure Authentication Methods'
     |-Check 'Microsoft Encrypted Authentication version 2 (MS-CHAP-v2)'
     |-Select Add
      |-Select 'Microsoft: Protected EAP (PEAP)'
      |-Select OK
     |-Highlight 'Microsoft: Protected EAP(PEAP)' 
     |-Select Edit
      |-Under 'Edit Protected EAP Properties'
      |-Make sure the Certificate issued is not the CA certificate. 
     |-Select Next
    |-Select Next
    |-Select Next
    |-Select Finish
    |-Move the newly created Network Policy to the top of the list

Configure the FortiGate to use the RADIUS Server

  • Log into the FortiGate's GUI, and browse to 'User & Device -> Authentication -> RADIUS Server'
  • Select Create New
  • Under 'New Radius Server'
    Name : Enter a friendly name
    Primary Server IP/Name : IP address or FQDN of RADIUS server
    Primary Server Secret :  The shared secret created on the Windows Server in the Radius Client Settings
    Leave the rest as default.
  • Select OK
  • Browse to 'WiFi Controller -> WiFi Network -> SSID'
  • Select your SSID you wish to use RADIUS to authenticate or Create New
  • Under 'Edit Interface'
    Security Mode :  WPA/WPA2 Enterprise
    Authentication : RADIUS Server
    Select the RADIUS server created in the drop down menu
    Check 'Listen for RADIUS Accounting Messages'

15974
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.