Hello,
I'm in the process of configuring FortiNAC as a RADIUS server to authenticate WiFi users using certificates deployed through Microsoft Intune. My setup includes FortiGate and FortiAP devices. I aim to establish three distinct SSIDs:
SSID 1: For company-managed laptop.
SSID 2: For company-managed tablet.
SSID 3 (Guest): For visitors requiring temporary network access.
Requirements:
SSIDs 1 & 2: Devices receive certificates from the same internal Certificate Authority (CA) via Intune. I need to ensure that:
Laptops can only authenticate to SSID 1.
Tablets can only authenticate to SSID 2.
Devices cannot cross-authenticate between SSIDs.
SSID 3 (Guest):
Unregistered users connecting to this open SSID should be redirected to FortiNAC's captive portal.
Users should be able to self-register through the portal.
Upon successful registration, users should automatically gain access to the guest network.
Questions:
Is it feasible to configure FortiNAC to enforce SSID-specific access based on certificate attributes or device characteristics, given that all certificates originate from the same CA?
How can I set up FortiNAC's captive portal to facilitate guest self-registration and subsequent automatic connection to the guest network?
Are there best practices or detailed guides available for implementing this configuration?
Any insights, guidance, or references to documentation would be greatly appreciated.
Thank you in advance!
For guest self-registration you can refer to this article that tries to covers the configuration steps: An example FortiGate/FAP
Regarding the first request, I would suggest to use a way to differentiate between these devices when they are firstly registered like a device type or role for example and than later use it in a User/Host profile conditions to differentiate between them. In the SSID configuration by using logical networks, you can than isolate the hosts or deny access when they don't match with the correct SSID.
Hi Emirjon,
Thank you for your response and the article link — very helpful!
My intention is to integrate Microsoft Intune with FortiNAC and use WPA2-Enterprise on the FortiGate SSIDs, with FortiNAC acting as the RADIUS server for certificate-based authentication.
Is this setup feasible? From what I understand, it should be.
However, I’d prefer not to use roles with dynamic VLAN assignments at this time, as I plan to extend FortiNAC integration to the wired network as well. The wired network uses VLAN IDs that differ from those on the WiFi side, and I want to avoid potential complications in managing consistent access policies across both environments.
Is there an alternative approach you'd recommend for achieving SSID-specific access control without relying on dynamic VLANs?
Thanks again for your time and support.
As long as the PKI is handled by a 3rd party system, FNAC is able to authenticate hosts based on their certificates (EAP-TLS).
FNAC prefers to isolate hosts instead of denying access. The default action in SSID can not be set to Deny. You can leverage the flexibility of the logical networks to simplify the configuration of network access policies and also use it for denying authentications:
Technically this should send authentication rejects for hosts that are matching with the logical network (GuestLN in this example) and should work without configuring dynamic VLANs at the SSID level.
User | Count |
---|---|
2626 | |
1400 | |
810 | |
672 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.