Fortinet Document Library

Version:


Table of Contents

On This Page

Register the FortiGate as a RADIUS client on the NPS
Create a connection request policy
Create a network policy
Configure the FortiGate to use the RADIUS server
Configure the WiFi user group
Create an SSID with RADIUS authentication
Create a security policy

FortiWiFi and FortiAP Cookbook

6.4.0
Download PDF
Copy Link

WiFi with WSSO using Windows NPS and user groups

You can configure wireless single sign-on (WSSO) using a Network Policy Server (NPS) and FortiGate user groups.

In the following example, the WiFi users are students at a school. The user group belongs to a Windows Active Directory (AD) group called WiFiAccess. When the users enter their WiFi user names and passwords, the FortiGate checks the local group WiFi. Since this user group has been set up on a remote authentication dial-in user service (RADIUS) server, the FortiGate performs user authentication against the NPS or RADIUS server. If the user is successfully authenticated, the FortiGate checks for a policy that allows the WiFi group access.

To configure WSSO using Windows NPS and user groups:
  1. Register the FortiGate as a RADIUS client on the NPS:
    1. In the NPS, go to RADIUS Clients and Servers > RADIUS Clients.
    2. Right-click RADIUS Clients and select New.
    3. Enter the FortiGate information:
      • Name
      • IP address (172.20.120.142)
      • Shared secret (password)
    4. Click OK.
    5. The FortiGate properties view:

  2. Create a connection request policy:
    1. Go to Policies > Connection Request Policies.
    2. Right-click Connection Request Policies and select New.
    3. Enter the policy name (WiFi) and select the type of network access server.
    4. Click Next. The Specify Conditions window opens.
    5. Click Add and under Connection Properties, select Client IPv4 Address.
    6. Configure the Client IPv4 Address as the FortiGate IP address.
    7. Keep clicking Next and leave the default settings until you can click Finish.

  3. Create a network policy:
    1. Go to Policies > Network Policies.
    2. Right-click Network Policies and select New.
    3. Enter the policy name (WiFi-Access) and select the type of network access server.
    4. Click Next. The Specify Conditions window opens.
    5. Click Add and under Groups, select Windows Groups.
    6. Click Add Groups and enter the Windows AD group, WiFiAccess, as the object name to select.
    7. Click OK, then Next twice to advance to the Configure Authentication Methods window.
    8. For EAP Types, click Add and select Microsoft: Protected EAP (PEAP).
    9. Click OK.
    10. For Less secure authentication methods, make sure only the Microsoft Encrypted Authentication version 2 (MS-CHAP-v2) and User can change password after it has expired checkboxes are selected.
    11. Keep clicking Next and leave the default settings until you can click Finish.

      The WiFi-Access network policy conditions properties view:

      The WiFi-Access network policy constraints properties view:

  4. Configure the FortiGate to use the RADIUS server:
    1. In FortiOS, go to User & Device > RADIUS Servers.
    2. Click Create New.
    3. Enter the server information:
      • Name (DC-RADIUS)
      • Authentication method (click Specify and select MS-CHAP-v2)
      • Domain controller IP address
      • Server secret

    4. Optionally, you can click Test Connectivity. After you enter the user ID and password, the result should be successful.
    5. Click OK.
  5. Configure the WiFi user group:
    1. Go to User & Device > User Groups.
    2. Click Create New.
    3. Enter the user group information:
      • Name
      • Type (select Firewall)
    4. Under Remote Groups, click Add. The Add Group Match pane opens.
    5. In the Remote Server dropdown, select the RADIUS server you just configured (DC-RADIUS).
    6. For Groups, click Any.
    7. Click OK to add the server.
    8. Click OK to save the user group.
  6. Create an SSID with RADIUS authentication:
    1. Go to WiFi & Switch Controller > SSID.
    2. Click Create New > SSID.
    3. Configure the interface and enable DHCP Server.
    4. Click Create New to add the address range.

    5. Configure the WiFi Settings section:
      • For Security Mode, select WPA2 Enterprise.
      • For Authentication, click Local and add the WiFi user group.

    6. Click OK.
  7. Create a security policy:
    1. Go to Policy & Objects > IPv4 Policy.
    2. Click Create New.
    3. Configure the policy to have the SSID you created in step 6 as the Incoming Interface and the WiFi user group you created in step 5 as the Source.
    4. Configure other settings as needed.
    5. Click OK.

To verify the WSSO authentication:
  1. Using the credentials of a user that belongs to the Windows AD WiFiAccess group:
    1. Try connecting to the WiFi network.
    2. Get authenticated.
    3. Browse the internet.
  2. In FortiOS, go to Monitor > Firewall User Monitor.

    For the credentials you tested, you will be able to view the user name, user group, IP address, and if the WSSO authentication method was used:

On This Page

WiFi with WSSO using Windows NPS and user groups

You can configure wireless single sign-on (WSSO) using a Network Policy Server (NPS) and FortiGate user groups.

In the following example, the WiFi users are students at a school. The user group belongs to a Windows Active Directory (AD) group called WiFiAccess. When the users enter their WiFi user names and passwords, the FortiGate checks the local group WiFi. Since this user group has been set up on a remote authentication dial-in user service (RADIUS) server, the FortiGate performs user authentication against the NPS or RADIUS server. If the user is successfully authenticated, the FortiGate checks for a policy that allows the WiFi group access.

To configure WSSO using Windows NPS and user groups:
  1. Register the FortiGate as a RADIUS client on the NPS:
    1. In the NPS, go to RADIUS Clients and Servers > RADIUS Clients.
    2. Right-click RADIUS Clients and select New.
    3. Enter the FortiGate information:
      • Name
      • IP address (172.20.120.142)
      • Shared secret (password)
    4. Click OK.
    5. The FortiGate properties view:

  2. Create a connection request policy:
    1. Go to Policies > Connection Request Policies.
    2. Right-click Connection Request Policies and select New.
    3. Enter the policy name (WiFi) and select the type of network access server.
    4. Click Next. The Specify Conditions window opens.
    5. Click Add and under Connection Properties, select Client IPv4 Address.
    6. Configure the Client IPv4 Address as the FortiGate IP address.
    7. Keep clicking Next and leave the default settings until you can click Finish.

  3. Create a network policy:
    1. Go to Policies > Network Policies.
    2. Right-click Network Policies and select New.
    3. Enter the policy name (WiFi-Access) and select the type of network access server.
    4. Click Next. The Specify Conditions window opens.
    5. Click Add and under Groups, select Windows Groups.
    6. Click Add Groups and enter the Windows AD group, WiFiAccess, as the object name to select.
    7. Click OK, then Next twice to advance to the Configure Authentication Methods window.
    8. For EAP Types, click Add and select Microsoft: Protected EAP (PEAP).
    9. Click OK.
    10. For Less secure authentication methods, make sure only the Microsoft Encrypted Authentication version 2 (MS-CHAP-v2) and User can change password after it has expired checkboxes are selected.
    11. Keep clicking Next and leave the default settings until you can click Finish.

      The WiFi-Access network policy conditions properties view:

      The WiFi-Access network policy constraints properties view:

  4. Configure the FortiGate to use the RADIUS server:
    1. In FortiOS, go to User & Device > RADIUS Servers.
    2. Click Create New.
    3. Enter the server information:
      • Name (DC-RADIUS)
      • Authentication method (click Specify and select MS-CHAP-v2)
      • Domain controller IP address
      • Server secret

    4. Optionally, you can click Test Connectivity. After you enter the user ID and password, the result should be successful.
    5. Click OK.
  5. Configure the WiFi user group:
    1. Go to User & Device > User Groups.
    2. Click Create New.
    3. Enter the user group information:
      • Name
      • Type (select Firewall)
    4. Under Remote Groups, click Add. The Add Group Match pane opens.
    5. In the Remote Server dropdown, select the RADIUS server you just configured (DC-RADIUS).
    6. For Groups, click Any.
    7. Click OK to add the server.
    8. Click OK to save the user group.
  6. Create an SSID with RADIUS authentication:
    1. Go to WiFi & Switch Controller > SSID.
    2. Click Create New > SSID.
    3. Configure the interface and enable DHCP Server.
    4. Click Create New to add the address range.

    5. Configure the WiFi Settings section:
      • For Security Mode, select WPA2 Enterprise.
      • For Authentication, click Local and add the WiFi user group.

    6. Click OK.
  7. Create a security policy:
    1. Go to Policy & Objects > IPv4 Policy.
    2. Click Create New.
    3. Configure the policy to have the SSID you created in step 6 as the Incoming Interface and the WiFi user group you created in step 5 as the Source.
    4. Configure other settings as needed.
    5. Click OK.

To verify the WSSO authentication:
  1. Using the credentials of a user that belongs to the Windows AD WiFiAccess group:
    1. Try connecting to the WiFi network.
    2. Get authenticated.
    3. Browse the internet.
  2. In FortiOS, go to Monitor > Firewall User Monitor.

    For the credentials you tested, you will be able to view the user name, user group, IP address, and if the WSSO authentication method was used: