My configuration:
FortiGate 200E Firmware 7.2.3
Access point FortiAP-231F X 20
Server windows 2022 Standard Role NPS (Radius)
I am looking for a configuration that allows the use of radius for the different SSID WIFI in "server radius" mode and not local.
We have 5 different SSID for wifi on each access point FortiAP-231F
We have created 5 different groups for the users of each SSID:
Group active directory security "Grp1" for SSID WIFI 1, "Grp2" for SSID WIFI 2, "Grp3" for SSID WIFI 3, "Grp4" for SSID WIFI 4, "Grp5" for SSID WIFI 5
The windows 2022 "NPS" Radius server communicates well with our FortiGate 200E firewall but it only works for one group:
The security group "Grp1" for SSID WIFI 1 in server radius mode works, but if I activate the "Grp2" for SSID WIFI 2, users of the "Grp1" and "Grp2" can connect to the SSID WIFI 1 and 2
We want users of the "Grp1" to be able to connect only to the SSID WIFI 1 and not to the two idem for the "Grp2".
The condition doesn’t work.
Hello,
Yeap you can achieve this by using source attribute.
You need to create for each SSID an Radius policy filtering for source attribute criteria:
Vendor: Fortinet
Attribute ID: Fortinet SSID
Value(string): <SSID Name>
Fortigate as Radius client send the SSID NAME as attribute to the Radius Server in this case NPS. On a Radius Debug log on the server (or PCAP) you can verify what are the attribute that you receives for each SSID.
Article below explain how to filter for source attribute Called-Station-ID on Fortiauthenticator Raidus Server:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiAuthenticator-radius-profile...
So you need firstly to filter for the SSID source attribute criteria then validate the user and sending back the Radius attribute User Group Name "Grp1", "Grp2" etc.
User Group name is an attribute that is returned back from NPS radius server in order to match the group created on Fortigate:
config user group
edit "Group1"
set member "NPS"
config match
edit 1
set server-name "NPS"
set group-name "Grp1"
next
end
next
end
Additionally VSAs article that might also help you:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-s-RADIUS-Dictionary-and-VSAs-late...
BR
Already done, it doesn’t work.
Article below explain how to filter for source attribute Called-Station-ID on Fortiauthenticator Raidus Server:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiAuthenticator-radius-profile...
No option on my Fortigate 200E maj 7.2.3
You need to create for each SSID an Radius policy filtering for source attribute criteria :
Vendor: Fortinet
Attribute ID: Fortinet SSID
Value(string): <SSID Name>
On the standard 2022 server (NPS role)
Supplier Specific tab -> Add (in supplier I don’t have Fortigate).
I add Vendor-Specifique :
Enter the supplier code : 12356
Yes, it is compliant
supplier code : 12356
Value: FortiClient_LDAP_Radius_HR
Attribute format : String
Attribute number assigned to supplier: 7
I tried with 6 too
See pj
La commande passée sur le Fortigate200E
config user group
edit "FortiClient_LDAP_Radius_HR"
Name of the active directory security group
set member "AD - Radius"
#Name of the radius server entered on the Fortigate200E box
config match
edit 1
set server-name "AD - Radius"
#Name of the radius server entered on the Fortigate200E box
set group-name "FortiClient_LDAP_Radius_HR"
next
end
next
end
Still the same problem, it work but the user from another security group radius can log on every ssid
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.