Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppardeshi
Staff
Staff

Created on ‎07-14-2022 02:43 PM Edited on ‎08-06-2022 03:04 AM By Community Manager

Article Id 216865

Technical Tip: Authentication of wireless users using their MAC Address and Active Directory credentials

Description

 

This article describes how to authenticate wireless users using their MAC address and their Active Directory credentials.

 

Scope

 

FortiGate, FortiAP.

 

Solution

 

This article is to demonstrate how to perform Authentication of Wireless clients using their MAC address along with their AD credentials (Username, Password) when connected to a wireless SSID that has WPA2-Enterprise authentication enabled.

Windows Server 2016 will be used for NPS service which will act as a Radius Server, and FortiGate is the Radius Client. 

 

Step 1: Configuring the Radius server on the FortiGate. 

 

Go to User & Authentication - > RADIUS Servers - > Create New.

 

ppardeshi_0-1657062002744.png

 

Step 2: Configure the NPS Service on Windows Server 2016 to allow FortiGate to be the Radius Client.

 

Go to Network Policy Server - > Radius Clients and Servers - > Radius Clients - > 'Right Click' - > New.

 

ppardeshi_2-1657062462516.png

 

Step 3: Configure Connection Request Policies on NPS Server.

 

Go to Network Policy Server - > Policies - > Connection Request Policies - > 'Right Click' - > New.

 

ppardeshi_3-1657062674761.png

 

Aashiq_Z_0-1657834147894.png

 

Step 4: Configure Network Policies on NPS Server.

 

Go to Network Policy Server - >Policies - > Network Policies - > 'Right Click' - > New

 

ppardeshi_5-1657062897811.png

 

ppardeshi_6-1657062959835.png

 

ppardeshi_7-1657063049740.png

 

ppardeshi_8-1657063116076.png

 

Refer to Microsoft's documentation for a more granular configuration of the NPS Server for different use cases (https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top)

 

Step 5: To authenticate the MAC address of the wireless user to the NPS server create an account on the Active Directory server with the username and password to be the MAC address of the wireless client that is connecting to the SSID on the FortiAP.

 

This will be needed to be done for all the wireless clients who need to authenticate using their MAC addresses and AD credentials. The MAC address for our test wireless client is E0-D4-64-D0-97-74. The user account with Logon Name 'E0-D4-64-D0-97-74' is a part of the 'Domain Users' Active Directory Group.

This is default format (Uppercase and hyphen as delimiter) for the MAC-username and MAC-password (Both needs to be same). Starting FortiOS 7.0.0 and later,  we can change the delimiter and case of the MAC-Username and MAC-Password.

 

The AD credentials which the user will enter actively is 'fortinet'.

This user (i.e. 'fortinet') is also a part of the 'Domain Users' Active Directory Group.

 

To create a new user on Active Directory: 

 

Active Directory Users and Computers - > Go to the domain (i.e. example.com, in this case) - > Users - > 'Right Click' - > New - > User.

 

ppardeshi_10-1657063685718.png

 

ppardeshi_11-1657063769480.png

 

ppardeshi_13-1657064028638.png

 

ppardeshi_12-1657063955453.png

 

Step 6: Configure an SSID on the FortiGate.

 

Go to Network - > Interface - > Create New - > Interface of Type - > Wifi SSID.

 

Step 7: Specify Security Mode to be WPA2 Enterprise and reference the Radius Server. Toggle on  'Client MAC Address Filtering' and specify the Radius Server.

 

a) Network - > Interface - > SSID Interface - > Security Mode Settings - > Security Mode - > WPA2 Enterprise.

 

b) Network - > Interface - > SSID Interface - > Security Mode Settings - > Authentication - > Radius Server - > Select the Radius Server (i.e. NPS Server, in this case).

 

c) Network - > Interface - > SSID Interface - > Client MAC Address Filtering - > Radius server - >  Select the Radius Server (i.e. NPS Server, in this case).

 

ppardeshi_14-1657064475854.png

 

ppardeshi_15-1657064511862.png

 

Step 8: Let the wireless user connect to the SSID. The user will be prompted to enter their Active Directory credentials, after which the authentication succeeds and the user connects to the SSID. 

 

FortiOS 7.0.0 introduced a new feature, which enables us to change the case and delimiter for the MAC-Username and MAC-Password.

 

It is necessary to edit the vap (SSID profile) in the CLI:

 

# config wireless-controller vap
    edit Home-Network
        set mac-username-delimiter {hyphen | single-hyphen | colon | none}
        set mac-password-delimiter {hyphen | single-hyphen | colon | none}
        set mac-case MAC {uppercase | lowercase}
    next
end

 

Radius Packet Flow behind the scenes:

 

MAC address of the wireless user will be sent to the NPS server by the FortiGate first using the Radius 'Access-Request' message, this happens passively i.e. the user does not enter it.

 

Once FortiGate gets the Radius 'Access-Accept' message from the NPS Server for the MAC address, it proceeds to send the AD credentials i.e. 'fortinet' to the NPS server using Radius 'Access-Request'.

 

Finally, after receiving Radius 'Access-Accept' in the last packet the user authentication is done and the user gets connected to the SSID.

 

ppardeshi_0-1657066534987.png

6535
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.