I have FortiWifi 40F installed on my network, with a radius server for a wpa enterprise configuration.
I have installed an access point, configuring the radius server IP with the port and the secret.
Here comes the issues: when I'm trying to authenticate clients on AP, the server doesn't get any request, and the authentication fails.
I have been investigating, my server is on 192.168.100.0/24 and my access point is on 192.168.2.0/24, with the firewall policy accepting traffic between this two interfaces (ports 1 and 2 of the FortiWifi).
I have been trying connecting with another device from access point side to the server, and I have no problem with ping communication or remote access, but the radius request fails.
I have configured over FreeRadius the users and the client, pointing to the acces point IP.
And the final step: I tried with both devices on the same net (192.168.100.0/24) and surprise, everything works perfectly.
What's the matter? Configuring the wifi devices inside the DMZ is the best practise?
Maybe I would like to configure communication between 192.168.100.0/24 and 192.168.2.0/24 without filtering the requests, so the radius service can work like if both devices were in the same net.
Some suggests, can someone help me with this configuration?
Ping from AP to RADIUS is impossible, doesn't support console commands, and connecting via SSH requests sudo permission which is not activated.
PING from RADIUS to AP is working without problems.
Test authentication locally works
But with the firewall between AP and RADIUS doesn't get answer. I get this error message forcing response with the software NTRadping, with an AP request the server doesn't show any alert.
This is what I think: the forti catches the AP request (192.168.2.1), and sends to my RADIUS server (192.168.100.100) but the server gets the request from the 192.168.100.200 (the IP interface of Fortigate in the 192.168.100.0/24) so it doesn't understand the client and rejects the request.
As I said, configuring the AP and the RADIUS in the same net (with 192.168.100.100 for RADIUS and 192.168.100.1 for AP) works without problems, the idea is to separate in different nets each device, but without this IP source change.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.