Custom RADIUS NAS-ID
You can configure the RADIUS NAS-ID as a custom ID or the hostname. When deploying a wireless network with WPA-Enterprise and RADIUS authentication, or using the RADIUS MAC authentication feature, FortiGate can use the custom NAS-ID in its Access-Request.
The FortiGate can also push the RADIUS NAS-ID to a managed FortiAP in standalone mode. The FortiAP can then forward the NAS-Identifier value in an Access-Request packet when authenticating a wireless client with a remote RADIUS server.
|
The FortiAP must run on firmware 7.6.0 or later to receive the NAS-Identifier value from the FortiGate. |
Configuring RADIUS NAS-ID CLI:
config user radius
edit < server >
set nas-id-type { legacy | custom | hostname }
set nas-id < custom ID >
next
end
You can configure nas-id-type with the following three options:
|
|
NAS-ID value is the value previously used by each daemon. This is the default setting. |
|
|
NAS-ID value is customized. Set |
|
|
NAS-ID value is the FortiGate hostname or HA group name if applicable. |
To create an SSID with WPA2-Enterprise security mode using RADIUS authentication:
-
Configure the SSID:
config wireless-controller vap edit "wifi7" set ssid "80F_ent_radius" set security wpa2-only-enterprise set voice-enterprise disable set auth radius set radius-server "server-55" set schedule "always" next end -
Configure the RADIUS server:
config user radius edit "server-55" set server "172.18.56.104" set secret ENC * set acct-interim-interval 60 set radius-coa enable config accounting-server edit 1 set status enable set server "172.18.56.104" set secret ENC * next end next end -
Set the
nas-id-type:config user radius edit server-55 set nas-id-type hostname next end config system global set hostname "FortiWiFi-80F-2R" end -
After the station connects to the SSID, check the radius packets to confirm the NAS-Identifier value matches the hostname FortiWiFi-80F-2R:
(64) Received Access-Request Id 35 from 172.16.200.254:63111 to 172.16.200.55:1812 length 367 (64) User-Name = "tester" (64) NAS-IP-Address = 0.0.0.0 (64) NAS-Identifier = "FortiWiFi-80F-2R"
To create a WPA2-Personal SSID using RADIUS MAC authentication:
-
Configure the SSID:
config wireless-controller vap edit "wifi2" set ssid "80F_psk" set voice-enterprise disable set radius-mac-auth enable set radius-mac-auth-server "server-55" set passphrase ENC * set schedule "always" next end -
Set the
nas-id-type:config user radius edit server-55 set nas-id-type custom set nas-id FWF-80F-LR next end -
After the station connects to the SSID, check the radius packets to confirm the NAS-Identifier value matches the custom value you configured, "FWF-80F-LR":
(87) Received Access-Request Id 3 from 172.16.200.254:62884 to 172.16.200.55:1812 length 228 (87) User-Name = "F1-A4-23-75-9F-B1" (87) User-Password = "F1-A4-23-75-9F-B1" (87) Calling-Station-Id = "F1-A4-23-75-9F-B1" (87) NAS-IP-Address = 0.0.0.0 (87) NAS-Identifier = "FWF-80F-LR"
To configure and push a NAS-ID to a FortiAP in standalone mode:
-
From FortiOS, configure the RADIUS server with a NAS-ID. You can use custom or hostname NAS-IDs.
config user radius edit "wifi-radius" set server "172.16.200.55" set secret ENC set nas-ip 172.16.200.9 set nas-id-type custom set nas-id "AP-431F" next end -
Apply the RADIUS server to an SSID.
config wireless-controller vap edit "stand-vap" set ssid "FOS_101F_Stand_Ent_Radius" set security wpa2-only-enterprise set auth radius set radius-server "wifi-radius" set local-standalone enable set local-bridging enable set schedule "always" next end -
When the client connects to the SSID, the NAS-Identifier attribute you configured, AP-431F, will be sent in an Access-Request packet.