I have created an SSID in my Fortigate. I want users to connect to SSID using AD credentials. hence I have configured RADIUS on my Domain Controller and configured SSID to use WPA-Enterprise via RADIUS.
I check the RADIUS Server from CLI and it is working fine
diagnose test authserv radius <Server> mschap2 <user><password>
The diag test command is successful.
However when i try to connect to SSID ..it prompts for username / password..but i am unable to connect to SSID.
Below is the SSID setting.
. I do not get any logs in diagnose debug application fnbamd -1
However if i create a Local User Group and Specify RADIUS Server in Localgroup. Then authenticate SSID with localgroup.
It works after giving 3-4 warnings.
Use monitor shows the User Authenticated as "WSSO"
first row is from a Laptop which is not a Domain Member. Second row is from a laptop which is a domain member.
I want to know what is the correct method of doing WPA-Enterprise Auth. I do not want to use User-Based Policies.
Authentication should happen only at SSID connect.
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
WPA2-Enterprise+Radius : Need Radius server support EAP , use CLI:dia debug application wpad -1 , it will have debug message.
WPA2-Enterprise+User group (Radius Server): No need Radius server support EAP, FGT use Proxy-EAP to support it, use CLI:dia debug application fn -1 , it will have debug.
Hope is helpfull.
What is this WSSO Stuff ?
As told earlier SSID--> Radius dosent work however SSID-->Local Group-->Radius works
If my Client is already joined to domain will it ask for username / password ?
I checked from a system which was not in Domain .It asked for a password and User Monitor shows "username"
I checked from a system which was in Domain. It didnt ask for a password and User Monitor shows "Domain\username"
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
If your policy for "SSID--> outbound" have same user group with SSID setting.
If you pass SSID authentication , It will not ask you input usr/password again, this is CALL WSSO.
Import CA certificate which signed Radius server certificate to your PC. Thanks.
Whats difference between WSSO and RSSO ?
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
WSSO, if pass SSID authentication, no need to do same authentication on policy
RSSO, FGT have RSSO agent and receive Radius Accounting which include attribute like Framed-IP-address and Class attributes, etc , it permit host which it have IP match Framed-IP-address pass authentication policy. Hope it is helpful, thanks.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.