Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Thonno
Contributor

Created on ‎07-21-2025 04:36 AM Edited on ‎07-21-2025 04:38 AM

FortiNAC and WPA2 Enterprise

Hello everyone,

I'm currently setting up a lab environment to authenticate mobile users (smartphones, tablets) to a WiFi network using certificate-based authentication via 802.1X.

I'm following this Fortinet guide (but i'm using a Bridge SSID and not a Tunnel SSID):
FortiNAC WiFi 802.1X based network using FortiNAC Local RADIUS Server

Infrastructure:

  • FortiGate

  • FortiAP

  • FortiNAC-F version 7.2

FortiGate Configuration:

SSID:

1.png

  • RADIUS Server settings:

    • NAS IP: set to FortiGate IP

    • radius-coa enabled via CLI

 

  • VLAN Interface ID 69 created and enabled with:

    • RADIUS Accounting

    • SNMP

    • PING

    • Security Fabric Connection

FortiNAC Configuration:

  • Local RADIUS: Configured and enabled all TLS types

  • Winbind Domain: Configured (used for another SSID with LDAP + Persistent Agent)

  • Network > SSID:

    • SSID bound to Default RADIUS Server

    • Custom Settings:

      • RADIUS Mode: Local

      • RADIUS Attribute Group: RFC_VLAN

      • Enforced Wireless Role: default, registration, and logical networks

2.png

  • VLAN Port Group (ID 69):

    • Authorized Access Points

    • Forced Authentication

    • Forced Registration

    • Role-Based Access

FortiGate Virtualized Devices:

3.png

 

Certificate Setup:

  • Windows Standalone CA created with SHA256

  • Imported CA cert into FortiNAC:

    • Trusted CA

    • RADIUS Endpoint Trust [radius]

  • Issued a cert from the CA for Local RADIUS Server (EAP) using SHA256

  • On the client device:

    • Imported the CA cert

    • Imported a .pfx cert for the device hostname

    • Also tested with a .pfx cert for user username@workgroup.local

Client Test:

  • Testing from a Windows laptop

  • Configured WiFi profile as:

    • WPA2 Enterprise

    • Smart card or other certificate

    • CA selected manually

  • When connecting, Windows prompts for a certificate, but none are accepted (both user and device certs fail)

  • No logs appear in FortiNAC RADIUS (neither in the Service Log nor Server Log)

The laptop used for testing is not joined to any Active Directory domain. I'm testing it as if it were a mobile device (e.g., smartphone or tablet).

 

Other configurations using the same FortiNAC RADIUS, such as for Persistent Agent or Self-Registration groups, are working correctly without any issues.



Any help or experience on this would be greatly appreciated.
Thanks in advance!

Best regards,

Labels:
238
1 Solution
Thonno
Contributor

Created on ‎07-21-2025 09:18 AM

I fixed it. The issue was that the FortiGate had set radius port 0 configured, and it was probably defaulting to port 1812, which on FortiNAC is set as a proxy by default.

I configured set radius port 1645 on the FortiGate side, and now it works with the certificate issued for the device name.

View solution in original post

206
1 REPLY 1
Thonno
Contributor

Created on ‎07-21-2025 09:18 AM

I fixed it. The issue was that the FortiGate had set radius port 0 configured, and it was probably defaulting to port 1812, which on FortiNAC is set as a proxy by default.

I configured set radius port 1645 on the FortiGate side, and now it works with the certificate issued for the device name.

207
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.