Radius in serveur mode on five ssid with different acces group

Adminforti · ‎07-15-2023

My configuration:

FortiGate 200E Firmware 7.2.3

Access point FortiAP-231F X 20

Server windows 2022 Standard Role NPS (Radius)

I am looking for a configuration that allows the use of radius for the different SSID WIFI in "server radius" mode and not local.

We have 5 different SSID for wifi on each access point FortiAP-231F

We have created 5 different groups for the users of each SSID:

Group active directory security "Grp1" for SSID WIFI 1, "Grp2" for SSID WIFI 2, "Grp3" for SSID WIFI 3, "Grp4" for SSID WIFI 4, "Grp5" for SSID WIFI 5

The windows 2022 "NPS" Radius server communicates well with our FortiGate 200E firewall but it only works for one group:

The security group "Grp1" for SSID WIFI 1 in server radius mode works, but if I activate the "Grp2" for SSID WIFI 2, users of the "Grp1" and "Grp2" can connect to the SSID WIFI 1 and 2

We want users of the "Grp1" to be able to connect only to the SSID WIFI 1 and not to the two idem for the "Grp2".

The condition doesn’t work.

ndumaj · ‎07-16-2023

Hello,

Yeap you can achieve this by using source attribute.
You need to create for each SSID an Radius policy filtering for source attribute criteria:
Vendor: Fortinet
Attribute ID: Fortinet SSID
Value(string): <SSID Name>
Fortigate as Radius client send the SSID NAME as attribute to the Radius Server in this case NPS. On a Radius Debug log on the server (or PCAP) you can verify what are the attribute that you receives for each SSID.

Article below explain how to filter for source attribute Called-Station-ID on Fortiauthenticator Raidus Server:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiAuthenticator-radius-profile...

So you need firstly to filter for the SSID source attribute criteria then validate the user and sending back the Radius attribute User Group Name "Grp1", "Grp2" etc.
User Group name is an attribute that is returned back from NPS radius server in order to match the group created on Fortigate:
config user group
edit "Group1"
set member "NPS"
config match
edit 1
set server-name "NPS"
set group-name "Grp1"
next
end
next
end

Additionally VSAs article that might also help you:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-s-RADIUS-Dictionary-and-VSAs-late...

BR

- Happy to help, hit like and accept the solution -

Adminforti · ‎07-19-2023

Already done, it doesn’t work.

Article below explain how to filter for source attribute Called-Station-ID on Fortiauthenticator Raidus Server:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiAuthenticator-radius-profile...

No option on my Fortigate 200E maj 7.2.3

You need to create for each SSID an Radius policy filtering for source attribute criteria :
Vendor: Fortinet
Attribute ID: Fortinet SSID
Value(string): <SSID Name>

On the standard 2022 server (NPS role)

Supplier Specific tab -> Add (in supplier I don’t have Fortigate).

I add Vendor-Specifique :

Enter the supplier code : 12356

Yes, it is compliant

supplier code : 12356

Value: FortiClient_LDAP_Radius_HR

Attribute format : String

Attribute number assigned to supplier: 7

I tried with 6 too

See pj

La commande passée sur le Fortigate200E

config user group

edit "FortiClient_LDAP_Radius_HR"

Name of the active directory security group

set member "AD - Radius"

#Name of the radius server entered on the Fortigate200E box

config match
edit 1
set server-name "AD - Radius"

#Name of the radius server entered on the Fortigate200E box

set group-name "FortiClient_LDAP_Radius_HR"
next
end
next
end

Still the same problem, it work but the user from another security group radius can log on every ssid