This Document Assumes the Following :
Configuring the RADIUS server on NPS
Settings Tab Friendly Name : Name the 'Network Policy and Access Server' Address : Enter IP of FortiGate Shared Secret : Create a password for the radius server Leave all other settings as default
Advanced Tab Leave all settings as default
|-Enter friendly name in the 'Policy name:' field, then select Next |-Under 'Specify Conditions' |-Select Add |-Scroll down to Client IPv4 Address |-Select 'Add' |-Enter the IP address of the internal interface of the FortiGate and select OK |-Select Next |-Select Next |-Select Next |-Select Next |-Select Finish |-Move the newly created Connection Request Policy above the default 'Use Windows Authentication for all users' policy.
|-Enter friendly name in the 'Policy name:' field, then select Next |-Under 'Specify Conditions' |-Select Add |-Select 'Windows Groups' |-Select Add |-Select 'Add Groups' |-Add you Windows Security Group you wish to allow access |-Select OK |-Select Next |-Select Next |-Under 'Configure Authentication Methods' |-Check 'Microsoft Encrypted Authentication version 2 (MS-CHAP-v2)' |-Select Add |-Select 'Microsoft: Protected EAP (PEAP)' |-Select OK |-Highlight 'Microsoft: Protected EAP(PEAP)' |-Select Edit |-Under 'Edit Protected EAP Properties' |-Make sure the Certificate issued is not the CA certificate. |-Select Next |-Select Next |-Select Next |-Select Finish |-Move the newly created Network Policy to the top of the list
Configure the FortiGate to use the RADIUS Server
Name : Enter a friendly name Primary Server IP/Name : IP address or FQDN of RADIUS server Primary Server Secret : The shared secret created on the Windows Server in the Radius Client Settings Leave the rest as default.
Security Mode : WPA/WPA2 Enterprise Authentication : RADIUS Server Select the RADIUS server created in the drop down menu Check 'Listen for RADIUS Accounting Messages'