Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dipen
New Contributor III

WiFi Authentication using WPA2-Enterprise (RADIUS)

I have created an SSID in my Fortigate. I want users to connect to SSID using AD credentials. hence I have configured RADIUS on my Domain Controller and configured SSID to use WPA-Enterprise via RADIUS.

I check the RADIUS Server from CLI and it is working fine

diagnose test authserv radius <Server> mschap2 <user><password>

The diag test command is successful.

However when i try to connect to SSID ..it prompts for username / password..but i am unable to connect to SSID.

Below is the SSID setting.

.   I do not get any logs in diagnose debug application fnbamd -1 

 

 

 

However if i create a Local User Group and Specify RADIUS Server in Localgroup. Then authenticate SSID with localgroup.

It works after giving 3-4 warnings.

 

 

Use monitor shows the User Authenticated as "WSSO"

 

first row is from a Laptop which is not a Domain Member. Second row is from a laptop which is a domain member.

 I want to know what is the correct method of doing WPA-Enterprise Auth. I do not want to use User-Based Policies.

Authentication should happen only at SSID connect.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
7 REPLIES 7
Jeff_FTNT
Staff
Staff

WPA2-Enterprise+Radius  : Need Radius server support EAP , use CLI:dia debug  application  wpad  -1 , it will have debug message.

 

WPA2-Enterprise+User group (Radius Server): No need Radius server support EAP, FGT use Proxy-EAP to support it, use CLI:dia debug application fn -1 , it will have debug.

 

Hope is helpfull.

Dipen
New Contributor III

What is this WSSO Stuff ?

As told earlier SSID--> Radius dosent work however SSID-->Local Group-->Radius works

If my Client is already joined to domain will it ask for username / password ?

I checked from a system which was not in Domain .It asked for a password and User Monitor shows "username"

I checked from a system which was in Domain. It didnt ask for a password and User Monitor shows "Domain\username"

 

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
Jeff_FTNT
Staff
Staff

If your policy for "SSID--> outbound" have same user group with SSID setting.

If you pass SSID authentication , It will not ask you input usr/password again, this is CALL WSSO.

Dipen
New Contributor III

Why are we getting attached Error.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
Jeff_FTNT
Staff
Staff

Import CA certificate which signed Radius server certificate to your PC. Thanks.

Dipen
New Contributor III

Whats difference between WSSO and RSSO ?

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
Jeff_FTNT
Staff
Staff

WSSO, if pass SSID authentication, no need to do same authentication on policy

RSSO, FGT have RSSO agent and receive Radius Accounting which include attribute like Framed-IP-address and Class attributes, etc , it permit host which it have IP match Framed-IP-address pass authentication policy. Hope it is helpful, thanks.

Labels
Top Kudoed Authors