- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiADC
- FortiAnalyzer
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Windows domain authentication (PEAP) for wifi
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 06-26-2007 11:21 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows domain authentication (PEAP) for wifi
Is there a way to set up PEAP authentication against Windows AD? For example, the goal we are trying to achieve is for a user who is in wifi range to be automatically connected to the wifi network using WPA encryption and Windows domain credentials. In other solutions the AP talks to the Windows IAS server, which is set up to allow access based on Windows domain groups. Is anything like this possible using the wifi 60a?
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(I realize this post is old, but this needs to be written.)
Yes, using Windows RADIUS (aka IAS).
------Windows IAS--------
Install IAS.
Create a RADIUS Client entry for your FortiWifi (and assign password)
Create a Windows group in AD to which you will assign your Wifi-enabled users to (or use existing group)
Create a Remote Access Policy.
Add a Policy Condition that says " Windows-Group matches " DOMAIN\Group" .
IF You have multiple clients (a RADIUS client is NOT a Wireless user/client, but a FortiGate or several, instead) that will access the RADIUS server, add a Policy Condition that says " NAS-IP-Address" . Hint, you can have multiple instances of the SAME IAS RADIUS server on a FortiGate WHEN you use the option of NAS-IP-Address (available on older versions through CLI). We don' t use a real IP, just a number that will match the policy we want to use. This way you can use the same RADIUS server that will give DOMAIN ADMINS access to login to the firewall, while at the same time using another group for WPA.
Check Grant remote access.
Click Edit Profile.
Click Advanced tab.
Add Service-Type of Framed.
Add Framed-MTU to usually no larger than 1435.
Click Authentication tab.
Uncheck all options except MS-CHAP v2.
Click EAP Methods.
Edit Protected EAP.
Pray that you have an appropriate Security Cert already installed.
Add EAP Type of " Secured password (EAP-MSCHAP v2)" .
Turn on Fast Reconnect if you like.
Click Ok.
Click Ok again.
Click the IP Tab.
Set ' Client may request an IP address' .
Click ok.
You may add other constraints, but this will get WPA up and running.
------End Windows IAS--------
---------User Objects----------
Edit each user and enable Remote Access from the Dial-in tab.
------End User Object---------
------FortiWifi-------------------
Under User, choose RADIUS.
Add your RADIUS server with IP and secret you chose when creating the RADIUS client on IAS.
Add NAS IP/Called Station ID IF you choose to use the same RADIUS. This doesn' t have to be a real IP, as it' s never used for communication. It acts as an ID, but in the format of an IP. I use 1.1.1.1, then 1.1.1.2 etc. Again, this will allow you to use the same RADIUS server for multiple purposes on the FortiGates. Ultimately, this equates a Windows group to a RADIUS server entry - so you can name your RADIUS entry to match the Windows Group to which it is " associated" .
Click Ok.
Under the System menu, choose Wireless.
Choose existing Wireless interface or create a new one.
Under Wireless settings, set Security Mode to WPA or WPA2 (AKA WPA-Enterprise).
Set Data Encryption to TKIP or AES - whatever combination your CLIENTS will support.
For Authentication, set RADIUS server to the entry you' ve just create in the User section.
Click Ok.
------End of FortiWifi-------------------
--Windows XP Client w/ WZC & SP2--
View properties of your Wireless adapter.
Add a Preferred network for your WPA SSID.
Set network authentication to WPA (or WPA2 if supported) to match settings on FortiGate. (No, not PSK)
Set Data Encryption to TKIP or AES, again to match FortiGate.
Click Authentication Tab, set EAP type to Protected EAP.
Uncheck Authenticate as computer when computer information is available. (You could in this case use machine objects to authenticate - but if that machine gets ripped off, they have access to your network - so it' s a bad idea).
Click Properties.
Uncheck Valid server cert.
Set ' Select Authentication Method' to Secured password (EAP-MSCHAP v2).
Enable Fast Reconnect.
Click configure.
If you set the option to " Automatically use my Windows logon name and password (and domain if any)" - IT WILL ALWAYS USE " DOMAIN\USER" or " COMPUTER\USER" . If you uncheck this option, you WILL be prompted when that SSID is in range! If these are domain users on domain member laptops, then leave it checked.
Click ok.
Click ok.
Click ok.
Click ok.
--End Windows XP Client w/ WZC & SP2--
Other clients.
Good luck. Realize that not all WiFi adapters support WPA/WPA2. Not all Wireless client suite software supports WPA.
This also works with Windows 2000 IAS. Vista client works as well ' out of the box' with Vista' s WZC. Also tested with Mac Mini and MacBook Pro.
WPA is the best and most secure way to deploy Wireless in a Windows (or RADIUS-enabled) environment.
Ben McFortiGate - Over 200 deployed.
FCNSP Direct FortiNet FTP Link
Ben McFortiGate - Over 200 deployed. FCNSP Direct FortiNet FTP Link
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(I realize this post is old, but this needs to be written.)
Yes, using Windows RADIUS (aka IAS).
------Windows IAS--------
Install IAS.
Create a RADIUS Client entry for your FortiWifi (and assign password)
Create a Windows group in AD to which you will assign your Wifi-enabled users to (or use existing group)
Create a Remote Access Policy.
Add a Policy Condition that says " Windows-Group matches " DOMAIN\Group" .
IF You have multiple clients (a RADIUS client is NOT a Wireless user/client, but a FortiGate or several, instead) that will access the RADIUS server, add a Policy Condition that says " NAS-IP-Address" . Hint, you can have multiple instances of the SAME IAS RADIUS server on a FortiGate WHEN you use the option of NAS-IP-Address (available on older versions through CLI). We don' t use a real IP, just a number that will match the policy we want to use. This way you can use the same RADIUS server that will give DOMAIN ADMINS access to login to the firewall, while at the same time using another group for WPA.
Check Grant remote access.
Click Edit Profile.
Click Advanced tab.
Add Service-Type of Framed.
Add Framed-MTU to usually no larger than 1435.
Click Authentication tab.
Uncheck all options except MS-CHAP v2.
Click EAP Methods.
Edit Protected EAP.
Pray that you have an appropriate Security Cert already installed.
Add EAP Type of " Secured password (EAP-MSCHAP v2)" .
Turn on Fast Reconnect if you like.
Click Ok.
Click Ok again.
Click the IP Tab.
Set ' Client may request an IP address' .
Click ok.
You may add other constraints, but this will get WPA up and running.
------End Windows IAS--------
---------User Objects----------
Edit each user and enable Remote Access from the Dial-in tab.
------End User Object---------
------FortiWifi-------------------
Under User, choose RADIUS.
Add your RADIUS server with IP and secret you chose when creating the RADIUS client on IAS.
Add NAS IP/Called Station ID IF you choose to use the same RADIUS. This doesn' t have to be a real IP, as it' s never used for communication. It acts as an ID, but in the format of an IP. I use 1.1.1.1, then 1.1.1.2 etc. Again, this will allow you to use the same RADIUS server for multiple purposes on the FortiGates. Ultimately, this equates a Windows group to a RADIUS server entry - so you can name your RADIUS entry to match the Windows Group to which it is " associated" .
Click Ok.
Under the System menu, choose Wireless.
Choose existing Wireless interface or create a new one.
Under Wireless settings, set Security Mode to WPA or WPA2 (AKA WPA-Enterprise).
Set Data Encryption to TKIP or AES - whatever combination your CLIENTS will support.
For Authentication, set RADIUS server to the entry you' ve just create in the User section.
Click Ok.
------End of FortiWifi-------------------
--Windows XP Client w/ WZC & SP2--
View properties of your Wireless adapter.
Add a Preferred network for your WPA SSID.
Set network authentication to WPA (or WPA2 if supported) to match settings on FortiGate. (No, not PSK)
Set Data Encryption to TKIP or AES, again to match FortiGate.
Click Authentication Tab, set EAP type to Protected EAP.
Uncheck Authenticate as computer when computer information is available. (You could in this case use machine objects to authenticate - but if that machine gets ripped off, they have access to your network - so it' s a bad idea).
Click Properties.
Uncheck Valid server cert.
Set ' Select Authentication Method' to Secured password (EAP-MSCHAP v2).
Enable Fast Reconnect.
Click configure.
If you set the option to " Automatically use my Windows logon name and password (and domain if any)" - IT WILL ALWAYS USE " DOMAIN\USER" or " COMPUTER\USER" . If you uncheck this option, you WILL be prompted when that SSID is in range! If these are domain users on domain member laptops, then leave it checked.
Click ok.
Click ok.
Click ok.
Click ok.
--End Windows XP Client w/ WZC & SP2--
Other clients.
Good luck. Realize that not all WiFi adapters support WPA/WPA2. Not all Wireless client suite software supports WPA.
This also works with Windows 2000 IAS. Vista client works as well ' out of the box' with Vista' s WZC. Also tested with Mac Mini and MacBook Pro.
WPA is the best and most secure way to deploy Wireless in a Windows (or RADIUS-enabled) environment.
Ben McFortiGate - Over 200 deployed.
FCNSP Direct FortiNet FTP Link
Ben McFortiGate - Over 200 deployed. FCNSP Direct FortiNet FTP Link
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortinetclient SSL VPN Unable to use... 222 Views
- Issue L2TP over IPSEC with Radius... 264 Views
- Fortigate and active directory integration 274 Views
- plain hostname entry in DNS-server without... 283 Views
- Persistent agent not showing the windows... 214 Views
Labels
-
FortiGate
7,115 -
FortiClient
1,402 -
5.2
801 -
5.4
639 -
FortiManager
616 -
FortiAnalyzer
451 -
6.0
416 -
FortiAP
373 -
FortiSwitch
369 -
5.6
362 -
FortiClient EMS
288 -
FortiMail
277 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
6.4
128 -
FortiNAC
126 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
101 -
FortiGateCloud
95 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
47 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
38 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiExtender
34 -
FortiSandbox
33 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
Interface
18 -
FortiSwitch v6.2
17 -
LDAP
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
Routing
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
Logging
14 -
FortiDDoS
13 -
RADIUS
12 -
NAT
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSL SSH inspection
10 -
SSO
10 -
FortiRecorder
10 -
Application control
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
OSPF
7 -
Web application firewall profile
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
IPS signature
5 -
Packet capture
5 -
Automation
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDirector
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
FortiTester
4 -
3.6
4 -
FortiScan
4 -
Web rating
4 -
FortiDeceptor
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Fortinet Engage Partner Program
3 -
Traffic shaping profile
3 -
FortiDB
3 -
DLP sensor
3 -
DoS policy
3 -
Email filter profile
3 -
Fabric connector
2 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
DLP Dictionary
2 -
VoIP profile
2 -
DLP profile
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Internet Service Database
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1057 | |
| 874 | |
| 521 | |
| 441 | |
| 146 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.