Configuring user authentication
You can perform user authentication when the wireless client joins the wireless network and when the wireless user communicates with another network through a firewall policy.
You can use the following methods to authenticate connecting clients:
- WPA2 Enterprise authentication
- WiFi single sign-on (WSSO) authentication
- Assigning WiFi users to VLANs dynamically
- MAC-based authentication
- Authenticating guest WiFi users
- Authenticating wireless clients with SAML credentials
WPA2 Enterprise authentication
WEP and WPA-Personal security rely on legitimate users knowing the correct key or passphrase for the wireless network. However, the more users you have, the more likely it is that the key or passphrase will become known to unauthorized people. WPA-Enterprise and captive portal security provide separate credentials for each user. User accounts can be managed through FortiGate user groups or an external RADIUS authentication server.
Enterprise authentication can be based on the local FortiGate user database or on a remote RADIUS server. Local authentication is essentially the same for WiFi users as it is for wired users, except that authentication for WiFi users occurs when they associate their device with the AP. Therefore, enterprise authentication must be configured in the SSID. WiFi users can belong to user groups just the same as wired users and security policies will determine which network services they can access.
If your WiFi network uses WPA2 Enterprise authentication verified by a RADIUS server, you need to configure the FortiGate unit to connect to that RADIUS server.
Configuring connection to a RADIUS server - GUI:
- Go to User & Authentication > RADIUS Servers and select Create New.
- Enter a Name for the server.
This name is used in FortiGate configurations. It is not the actual name of the server. - In Primary Server area:
- IP/Name — enter the network name or IP address for the server.
- Secret — enter the shared secret used to access the server.
- Optionally, enter the information for a secondary or backup RADIUS server.
- Select OK.
To configure the FortiGate unit to access the RADIUS server - CLI:
config user radius
edit exampleRADIUS
set auth-type auto
set server 10.11.102.100
set secret aoewmntiasf
end
To implement WPA2 Enterprise security, you select this server in the SSID security settings. See Defining a wireless network interface (SSID) and WPA2 Security
To use the RADIUS server for authentication, you can create individual FortiGate user accounts that specify the authentication server instead of a password, and you then add those accounts to a user group. Or, you can add the authentication server to a FortiGate user group, making all accounts on that server members of the user group.
Creating a wireless user group
Most wireless networks require authenticated access. To enable creation of firewall policies specific to WiFi users, you should create at least one WiFi user group. You can add or remove users later. There are two types of user group to consider:
- A Firewall user group can contain user accounts stored on the FortiGate unit or external authentication servers such as RADIUS that contain and verify user credentials. For instructions on how to configure locally stored user groups, see Basic wireless network example.
- A Fortinet single sign-on (FSSO) user group is used for integration with Windows Active Directory or Novell eDirectory. The group can contain Windows or Novell user groups who will be permitted access to the wireless LAN.
WiFi single sign-on (WSSO) authentication
WSSO is RADIUS-based authentication that passes the user's user group memberships to the FortiGate. For each user, the RADIUS server must provide user group information in the Fortinet-Group-Name attribute. This information is stored in the server's database. After the user authenticates, security policies provide access to network services based on user groups.
- Configure the RADIUS server to return the Fortinet-Group-Name attribute for each user.
- Configure the FortiGate to access the RADIUS server, as described in WPA2 Enterprise authentication.
- Create firewall user groups on the FortiGate with the same names as the user groups listed in the RADIUS database. Leave the groups empty.
- In the SSID choose WPA2-Enterprise authentication. In the Authentication field, select RADIUS Server and choose the RADIUS server that you configured.
- Create security policies as needed, using user groups (Source User(s) field) to control access.
For configuration information see, Configuring WiFi with WSSO using Windows NPS and user groups.
When a user authenticates by WSSO, the Firewall Users widget (Dashboard > Users & Device) shows the authentication method as WSSO.
Assigning WiFi users to VLANs dynamically
Some enterprise networks use Virtual LANs (VLANs) to separate traffic. In this environment, to extend network access to WiFi users might appear to require multiple SSIDs. But it is possible to automatically assign each user to their appropriate VLAN from a single SSID. To accomplish this requires RADIUS authentication that passes the appropriate VLAN ID to the FortiGate by RADIUS attributes. Each user's VLAN assignment is stored in the user database of the RADIUS server.
- Configure the RADIUS server to return the following attributes for each user:
Tunnel-Type (value: "VLAN")
Tunnel-Medium-Type (value: "IEEE-802")
Tunnel_Private-Group-Id (value: the VLAN ID for the user's VLAN)
- Configure the FortiGate to access the RADIUS server.
- Configure the SSID with WPA2-Enterprise authentication. In the Authentication field, select RADIUS Server and choose the RADIUS server that you will use.
- Create VLAN subinterfaces on the SSID interface, one for each VLAN. Set the VLAN ID of each as appropriate. You can do this on the Network > Interfaces page.
- Enable Dynamic VLAN assignment for the SSID. For example, if the SSID interface is "office", enter:
- Create security policies for each VLAN. These policies have a WiFi VLAN subinterface as Incoming Interface and allow traffic to flow to whichever Outgoing Interface these VLAN users will be allowed to access.
config wireless-controller vap
edit office
set dynamic-vlan enable
end
MAC-based authentication
You can authenticate wireless clients by MAC address. A RADIUS server stores the allowed MAC address for each client and the wireless controller checks the MAC address independently of other authentication methods.
MAC-based authentication must be configured in the CLI. In the following example, MAC-based authentication is added to an existing access point "vap1" to use RADIUS server hq_radius (configured on the FortiGate):
config wireless-controller vap
edit vap1
set radius-mac-auth enable
set radius-mac-auth-server hq_radius
end
See also Adding a MAC filter
Combined MAC and MPSK based authentication
You can also use a combined MAC and MPSK based authentication to authenticate wireless clients against a RADIUS server. Instead of statically storing the MPSK passphrase(s) on the FortiGate, it can be passed from the RADIUS server dynamically when the client MAC is authenticated by the RADIUS server. The resulting passphrase will be cached on the FortiGate for future authentication, with a timeout configured for each VAP.
When a WiFi client attempts to connect to a SSID and inputs a password, the user is "registered" to the RADIUS server which stores the client's MAC and generates a passphrase for the user device or group. When the user connects to the FortiAP SSID using WPA2-Personal, the FortiGate wireless controller will dynamically authenticate the device's MAC address using RADIUS-based MAC authentication.
If authentication is successful, the RADIUS server will return a tunnel-password for that user device or group. If the client-provided passphrase matches this password, it can successfully connect to the SSID and be placed in a VLAN (if specified).
To implement MAC and MPSK based authentication, you must first configure the RADIUS server and MPSK profile. Then you can configure authentication based on how the client connects to the SSID.
To configure the RADIUS server and MPSK profile:
-
Configure a RADIUS server:
config user radius
edit "peap"
set server "172.16.200.55"
set secret ********
next
end
-
Configure the MPSK profiles:
config wireless-controller mpsk-profile
edit "wifi.fap.01"
set ssid "wifi-ssid.fap.01"
config mpsk-group
edit "g1"
config mpsk-key
edit "p1"
set passphrase ********
set mpsk-schedules "always"
next
end
next
end
next
edit "wifi.fap.02"
set ssid "wifi-ssid.fap.02"
config mpsk-group
edit "g1"
config mpsk-key
edit "p1"
set passphrase ********
set mpsk-schedules "always"
next
end
next
end
next
end
-
Check that the PMK values from the RADIUS server are cached on the FortiGate:
show wireless-controller mpsk-profile
edit "wifi.fap.01"
set ssid "wifi-ssid.fap.01"
config mpsk-group
edit "g1"
config mpsk-key
edit "p1"
set passphrase *****
set pmk ENC ***
set mpsk-schedules "always"
next
end
next
end
next
edit "wifi.fap.02"
set ssid "wifi-ssid.fap.02"
config mpsk-group
edit "g1"
config mpsk-key
edit "p1"
set passphrase ****
set pmk ENC ***
set mpsk-schedules "always"
next
end
next
end
next
end
After you've configured the RADIUS server and MPSK profile, you can configure MAC and MPSK based authentication based on how the client connects to the SSID:
-
If the client connects to the SSID in tunnel mode, the MPSK key is cached on the FortiGate.
-
If the client connects to the SSID in bridging mode, the MPSK key is cached on the FortiAP.
To enable the RADIUS MAC Authentication - GUI:
- Go to WiFi & Switch Controller > SSIDs, and click Create New > SSID or edit an existing SSID.
- In Security mode, select WPA2 Personal.
-
Under Pre-shared Key Mode, select Multiple.
-
Enable RADIUS MAC authentication.
The Authentication timeout field loads. You can change the timer from 1800 to 86400 seconds.
-
Enable RADIUS server and select a server.
-
When you are finished, click OK.
To configure MAC and MPSK authentication in tunnel mode:
-
Configure the wireless controller VAP, enable
radius-mac-auth
, and select a profile formpsk-profile
:config wireless-controller vap
edit "wifi.fap.01"
set ssid "wifi-ssid.fap.01"
set radius-mac-auth enable
set radius-mac-auth-server "peap"
set radius-mac-mpsk-auth enable
set radius-mac-mpsk-timeout 1800
set schedule "always"
set mpsk-profile "wifi.fap.01"
next
end
-
On the RADIUS server, set a
Tunnel-Password
attribute in the example MAC account "F8-E4-E3-D8-5E-AF
".F8-E4-E3-D8-5E-AF Cleartext-Password := "F8-E4-E3-D8-5E-AF"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = 100,
Tunnel-Password = "111111111111",
Fortinet-Group-Name = group_mac
-
Confirm the example client (
MAC:f8:e4:e3:d8:5e:af
) can connect to the SSID using the sameTunnel-Password
passphrase "111111111111
".# dia wireless-controller wlac -d sta online
vf=1 wtp=7 rId=2 wlan=wifi.fap.01 vlan_id=0 ip=10.10.80.2 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=fosqa-PowerEdge-R210 user=F8-E4-E3-D8-5E-AF group=group_mac signal=-33 noise=-95 idle=3 bw=1 use=6 chan=149 radio_type=11AX_5G security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2
rad_mac_auth=allow age=12
-
Verify that the RADIUS MPSK can be cached in the FortiGate:
# diagnose wpa wpad radius-mac-mpsk wifi-ssid.fap.01
SSID config: SSID(wifi-ssid.fap.01) VAP(wifi.fap.01) refcnt(1)
Total RADIUS MPSK cache count: (1)
mac-binding: f8:e4:e3:d8:5e:af
vlan-id: 100
expiration: 1785 seconds
- MAC and MPSK based authentication is successfully implemented.
To configure MAC and MPSK authentication in bridge mode:
-
Configure the wireless controller VAP, enable
radius-mac-mpsk
, and select a profile formpsk-profile
:config wireless-controller vap
edit "wifi.fap.02"
set ssid "wifi-ssid.fap.02"
set radius-mac-auth enable
set radius-mac-auth-server "peap"
set radius-mac-mpsk-auth enable
set radius-mac-mpsk-timeout 1800
set local-standalone enable
set local-bridging enable
set local-authentication enable
set schedule "always"
set mpsk-profile "wifi.fap.02"
next
end
-
Confirm the example client (MAC:f8:e4:e3:d8:5e:af) can now connect to the above local-standalone SSID using the same
Tunnel-Password
passphrase "111111111111
".FortiAP-231F # sta
wlan11 (wifi-ssid.fap.02) client count 1
MAC:f8:e4:e3:d8:5e:af ip:10.100.100.231 ip_proto:dhcp ip_age:74 host:fosqa-PowerEdge-R210 vci:
vlanid:0 Auth:Yes channel:149 rate:48Mbps rssi:65dB idle:11s
Rx bytes:6095 Tx bytes:1719 Rx rate:87Mbps Tx rate:48Mbps Rx last:11s Tx last:68s
AssocID:1 Mode: Normal Flags:1000000b PauseCnt:0
-
Verify that the RADIUS MPSK can be cached on FortiAP:
FortiAP-231F # h_diag radius-mac-mpsk wifi-ssid.fap.02
SSID config: SSID(wifi-ssid.fap.02) VAP(wlan11) refcnt(1)
Total RADIUS MPSK cache count: (1)
mac-binding: f8:e4:e3:d8:5e:af
vlan-id: 100
expiration: 1660 seconds
- MAC and MPSK based authentication is successfully implemented.
Because Dynamic VLAN is not configured on each of the VAPs, the cache returned by the RADIUS server and the station statistics show different VLAN IDs. FortiGate does not use the VLAN passed by the RADIUS server, but still caches it. |
Authenticating guest WiFi users
The FortiOS Guest Management feature enables you to easily add guest accounts to your FortiGate unit. These accounts are authenticate guest WiFi users for temporary access to a WiFi network managed by a FortiGate unit.
To implement guest access, you need to
- Go to User & Authentication > User Groups and create one or more guest user groups.
- Go to User & Authentication > Guest Management to create guest accounts. You can print the guest account credentials or send them to the user as an email or SMS message.
- Go to WiFi and Switch Controller > SSIDs and configure your WiFi SSID to use captive portal authentication. Select the guest user group(s) that you created.
Guest users can log into the WiFi captive portal with their guest account credentials until the account expires.
Authenticating wireless clients with SAML credentials
You can configure SAML user groups and apply it to a captive portal through a tunnel mode SSID. Then you can configure both a captive portal exempt firewall policy to allow wireless clients to contact the SAML IDP and a firewall policy with the SAML user group applied to allow authenticated traffic. When wireless clients connect to the SSID, they will be redirected to a login page for wireless authentication using SAML.
For configuration information, see Captive portal authentication using SAML credentials.