Fortinet black logo

FortiWiFi and FortiAP Cookbook

WiFi with WSSO using Windows NPS and user groups

6.4.0
Copy Link
Copy Doc ID daf31b55-67cc-11ea-9384-00505692583a:414919
Download PDF

WiFi with WSSO using Windows NPS and user groups

You can configure wireless single sign-on (WSSO) using a Network Policy Server (NPS) and FortiGate user groups.

In the following example, the WiFi users are students at a school. The user group belongs to a Windows Active Directory (AD) group called WiFiAccess. When the users enter their WiFi user names and passwords, the FortiGate checks the local group WiFi. Since this user group has been set up on a remote authentication dial-in user service (RADIUS) server, the FortiGate performs user authentication against the NPS or RADIUS server. If the user is successfully authenticated, the FortiGate checks for a policy that allows the WiFi group access.

To configure WSSO using Windows NPS and user groups:
  1. Register the FortiGate as a RADIUS client on the NPS:
    1. In the NPS, go to RADIUS Clients and Servers > RADIUS Clients.
    2. Right-click RADIUS Clients and select New.
    3. Enter the FortiGate information:
      • Name
      • IP address (172.20.120.142)
      • Shared secret (password)
    4. Click OK.
    5. The FortiGate properties view:

  2. Create a connection request policy:
    1. Go to Policies > Connection Request Policies.
    2. Right-click Connection Request Policies and select New.
    3. Enter the policy name (WiFi) and select the type of network access server.
    4. Click Next. The Specify Conditions window opens.
    5. Click Add and under Connection Properties, select Client IPv4 Address.
    6. Configure the Client IPv4 Address as the FortiGate IP address.
    7. Keep clicking Next and leave the default settings until you can click Finish.

  3. Create a network policy:
    1. Go to Policies > Network Policies.
    2. Right-click Network Policies and select New.
    3. Enter the policy name (WiFi-Access) and select the type of network access server.
    4. Click Next. The Specify Conditions window opens.
    5. Click Add and under Groups, select Windows Groups.
    6. Click Add Groups and enter the Windows AD group, WiFiAccess, as the object name to select.
    7. Click OK, then Next twice to advance to the Configure Authentication Methods window.
    8. For EAP Types, click Add and select Microsoft: Protected EAP (PEAP).
    9. Click OK.
    10. For Less secure authentication methods, make sure only the Microsoft Encrypted Authentication version 2 (MS-CHAP-v2) and User can change password after it has expired checkboxes are selected.
    11. Keep clicking Next and leave the default settings until you can click Finish.

      The WiFi-Access network policy conditions properties view:

      The WiFi-Access network policy constraints properties view:

  4. Configure the FortiGate to use the RADIUS server:
    1. In FortiOS, go to User & Authentication > RADIUS Servers.
    2. Click Create New.
    3. Enter the server information:
      • Name (DC-RADIUS)
      • Authentication method (click Specify and select MS-CHAP-v2)
      • Domain controller IP address
      • Server secret

    4. Optionally, you can click Test Connectivity. After you enter the user ID and password, the result should be successful.
    5. Click OK.
  5. Configure the WiFi user group:
    1. Go to User & Authentication > User Groups.
    2. Click Create New.
    3. Enter the user group information:
      • Name
      • Type (select Firewall)
    4. Under Remote Groups, click Add. The Add Group Match pane opens.
    5. In the Remote Server dropdown, select the RADIUS server you just configured (DC-RADIUS).
    6. For Groups, click Any.
    7. Click OK to add the server.
    8. Click OK to save the user group.
  6. Create an SSID with RADIUS authentication:
    1. Go to WiFi & Switch Controller > SSIDs.
    2. Click Create New > SSID.
    3. Configure the interface and enable DHCP Server.
    4. Click Create New to add the address range.

    5. Configure the WiFi Settings section:
      • For Security Mode, select WPA2 Enterprise.
      • For Authentication, click Local and add the WiFi user group.

      Note

      Local vs RADIUS Server Authentication:

      • Local: PEAP terminates on the FortiGate, and FortiGate uses the built-in Fortinet_WiFi certificate for the connection by default. To select a different certificate, see Replacing WiFi certificate for details.
      • RADIUS Server: PEAP is forwarded to the RADIUS Server.
    6. Click OK.
  7. Create a security policy:
    1. Go to Policy & Objects > IPv4 Policy.
    2. Click Create New.
    3. Configure the policy to have the SSID you created in step 6 as the Incoming Interface and the WiFi user group you created in step 5 as the Source.
    4. Configure other settings as needed.
    5. Click OK.

To verify the WSSO authentication:
  1. From the wireless client, the wireless settings may ask for the CA certificate for the PEAP connection.
    • On Android devices, you can select Use system certificate since the default FortiGate_WiFi certificate is signed by a public CA. If asked to specify the domain, enter fortinet.com. See the example Android WiFi client settings:

    • Alternatively, select Don't Validate to bypass validating the certificate used in the PEAP connection.
  2. Use the credentials of a user that belongs to the Windows AD WiFiAccess group to verify that you have been successful authenticated.

    1. Try connecting to the WiFi network.
    2. Get authenticated.
    3. Browse the internet.
  3. In FortiOS 6.4 and later, go to Dashboard > WiFi > Clients By FortiAP to see a list of logged on WiFi users.

  4. In FortiOS 6.4 and later, go to Dashboard > User & Devices > Firewall Users. The logged on user will be authenticated by Firewall Authentication and listed here.

WiFi with WSSO using Windows NPS and user groups

You can configure wireless single sign-on (WSSO) using a Network Policy Server (NPS) and FortiGate user groups.

In the following example, the WiFi users are students at a school. The user group belongs to a Windows Active Directory (AD) group called WiFiAccess. When the users enter their WiFi user names and passwords, the FortiGate checks the local group WiFi. Since this user group has been set up on a remote authentication dial-in user service (RADIUS) server, the FortiGate performs user authentication against the NPS or RADIUS server. If the user is successfully authenticated, the FortiGate checks for a policy that allows the WiFi group access.

To configure WSSO using Windows NPS and user groups:
  1. Register the FortiGate as a RADIUS client on the NPS:
    1. In the NPS, go to RADIUS Clients and Servers > RADIUS Clients.
    2. Right-click RADIUS Clients and select New.
    3. Enter the FortiGate information:
      • Name
      • IP address (172.20.120.142)
      • Shared secret (password)
    4. Click OK.
    5. The FortiGate properties view:

  2. Create a connection request policy:
    1. Go to Policies > Connection Request Policies.
    2. Right-click Connection Request Policies and select New.
    3. Enter the policy name (WiFi) and select the type of network access server.
    4. Click Next. The Specify Conditions window opens.
    5. Click Add and under Connection Properties, select Client IPv4 Address.
    6. Configure the Client IPv4 Address as the FortiGate IP address.
    7. Keep clicking Next and leave the default settings until you can click Finish.

  3. Create a network policy:
    1. Go to Policies > Network Policies.
    2. Right-click Network Policies and select New.
    3. Enter the policy name (WiFi-Access) and select the type of network access server.
    4. Click Next. The Specify Conditions window opens.
    5. Click Add and under Groups, select Windows Groups.
    6. Click Add Groups and enter the Windows AD group, WiFiAccess, as the object name to select.
    7. Click OK, then Next twice to advance to the Configure Authentication Methods window.
    8. For EAP Types, click Add and select Microsoft: Protected EAP (PEAP).
    9. Click OK.
    10. For Less secure authentication methods, make sure only the Microsoft Encrypted Authentication version 2 (MS-CHAP-v2) and User can change password after it has expired checkboxes are selected.
    11. Keep clicking Next and leave the default settings until you can click Finish.

      The WiFi-Access network policy conditions properties view:

      The WiFi-Access network policy constraints properties view:

  4. Configure the FortiGate to use the RADIUS server:
    1. In FortiOS, go to User & Authentication > RADIUS Servers.
    2. Click Create New.
    3. Enter the server information:
      • Name (DC-RADIUS)
      • Authentication method (click Specify and select MS-CHAP-v2)
      • Domain controller IP address
      • Server secret

    4. Optionally, you can click Test Connectivity. After you enter the user ID and password, the result should be successful.
    5. Click OK.
  5. Configure the WiFi user group:
    1. Go to User & Authentication > User Groups.
    2. Click Create New.
    3. Enter the user group information:
      • Name
      • Type (select Firewall)
    4. Under Remote Groups, click Add. The Add Group Match pane opens.
    5. In the Remote Server dropdown, select the RADIUS server you just configured (DC-RADIUS).
    6. For Groups, click Any.
    7. Click OK to add the server.
    8. Click OK to save the user group.
  6. Create an SSID with RADIUS authentication:
    1. Go to WiFi & Switch Controller > SSIDs.
    2. Click Create New > SSID.
    3. Configure the interface and enable DHCP Server.
    4. Click Create New to add the address range.

    5. Configure the WiFi Settings section:
      • For Security Mode, select WPA2 Enterprise.
      • For Authentication, click Local and add the WiFi user group.

      Note

      Local vs RADIUS Server Authentication:

      • Local: PEAP terminates on the FortiGate, and FortiGate uses the built-in Fortinet_WiFi certificate for the connection by default. To select a different certificate, see Replacing WiFi certificate for details.
      • RADIUS Server: PEAP is forwarded to the RADIUS Server.
    6. Click OK.
  7. Create a security policy:
    1. Go to Policy & Objects > IPv4 Policy.
    2. Click Create New.
    3. Configure the policy to have the SSID you created in step 6 as the Incoming Interface and the WiFi user group you created in step 5 as the Source.
    4. Configure other settings as needed.
    5. Click OK.

To verify the WSSO authentication:
  1. From the wireless client, the wireless settings may ask for the CA certificate for the PEAP connection.
    • On Android devices, you can select Use system certificate since the default FortiGate_WiFi certificate is signed by a public CA. If asked to specify the domain, enter fortinet.com. See the example Android WiFi client settings:

    • Alternatively, select Don't Validate to bypass validating the certificate used in the PEAP connection.
  2. Use the credentials of a user that belongs to the Windows AD WiFiAccess group to verify that you have been successful authenticated.

    1. Try connecting to the WiFi network.
    2. Get authenticated.
    3. Browse the internet.
  3. In FortiOS 6.4 and later, go to Dashboard > WiFi > Clients By FortiAP to see a list of logged on WiFi users.

  4. In FortiOS 6.4 and later, go to Dashboard > User & Devices > Firewall Users. The logged on user will be authenticated by Firewall Authentication and listed here.