Fortinet white logo
Fortinet white logo

Handbook

6.0.0

Configuring user authentication

Configuring user authentication

You can perform user authentication when the wireless client joins the wireless network and when the wireless user communicates with another network through a firewall policy. WEP and WPA-Personal security rely on legitimate users knowing the correct key or passphrase for the wireless network. The more users you have, the more likely it is that the key or passphrase will become known to unauthorized people. WPA-Enterprise and captive portal security provide separate credentials for each user. User accounts can be managed through FortiGate user groups or an external RADIUS authentication server.

WPA2 Enterprise authentication

Enterprise authentication can be based on the local FortiGate user database or on a remote RADIUS server. Local authentication is essentially the same for WiFi users as it is for wired users, except that authentication for WiFi users occurs when they associate their device with the AP. Therefore, enterprise authentication must be configured in the SSID. WiFi users can belong to user groups just the same as wired users and security policies will determine which network services they can access.

If your WiFi network uses WPA2 Enterprise authentication verified by a RADIUS server, you need to configure the FortiGate unit to connect to that RADIUS server.

Configuring connection to a RADIUS server - GUI
  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter a Name for the server.
    This name is used in FortiGate configurations. It is not the actual name of the server.
  3. In Primary Server Name/IP, enter the network name or IP address for the server.
  4. In Primary Server Secret, enter the shared secret used to access the server.
  5. Optionally, enter the information for a secondary or backup RADIUS server.
  6. Select OK.
To configure the FortiGate unit to access the RADIUS server - CLI

config user radius

edit exampleRADIUS

set auth-type auto

set server 10.11.102.100

set secret aoewmntiasf

end

To implement WPA2 Enterprise security, you select this server in the SSID security settings. See Configuring user authentication.

To use the RADIUS server for authentication, you can create individual FortiGate user accounts that specify the authentication server instead of a password, and you then add those accounts to a user group. Or, you can add the authentication server to a FortiGate user group, making all accounts on that server members of the user group.

Creating a wireless user group

Most wireless networks require authenticated access. To enable creation of firewall policies specific to WiFi users, you should create at least one WiFi user group. You can add or remove users later. There are two types of user group to consider:

  • A Firewall user group can contain user accounts stored on the FortiGate unit or external authentication servers such as RADIUS that contain and verify user credentials.
  • A Fortinet single sign-on (FSSO) user group is used for integration with Windows Active Directory or Novell eDirectory. The group can contain Windows or Novell user groups who will be permitted access to the wireless LAN.

WiFi single sign-on (WSSO) authentication

WSSO is RADIUS-based authentication that passes the user's user group memberships to the FortiGate. For each user, the RADIUS server must provide user group information in the Fortinet-Group-Name attribute. This information is stored in the server's database. After the user authenticates, security policies provide access to network services based on user groups.

  1. Configure the RADIUS server to return the Fortinet-Group-Name attribute for each user.
  2. Configure the FortiGate to access the RADIUS server, as described in WPA2 Enterprise authentication.
  3. Create firewall user groups on the FortiGate with the same names as the user groups listed in the RADIUS database. Leave the groups empty.
  4. In the SSID choose WPA2-Enterprise authentication. In the Authentication field, select RADIUS Server and choose the RADIUS server that you configured.
  5. Create security policies as needed, using user groups (Source User(s) field) to control access.

When a user authenticates by WSSO, the firewall monitor Monitor > Firewall User Monitor) shows the authentication method as WSSO.

Assigning WiFi users to VLANs dynamically

Some enterprise networks use Virtual LANs (VLANs) to separate traffic. In this environment, to extend network access to WiFi users might appear to require multiple SSIDs. But it is possible to automatically assign each user to their appropriate VLAN from a single SSID. To accomplish this requires RADIUS authentication that passes the appropriate VLAN ID to the FortiGate by RADIUS attributes. Each user’s VLAN assignment is stored in the user database of the RADIUS server.

  1. Configure the RADIUS server to return the following attributes for each user:
    Tunnel-Type (value: VLAN)
    Tunnel-Medium-Type (value: IEEE-802)
    Tunnel_Private-Group-Id (value: the VLAN ID for the user's VLAN)
  2. Configure the FortiGate to access the RADIUS server.
  3. Configure the SSID with WPA2-Enterprise authentication. In the Authentication field, select RADIUS Server and choose the RADIUS server that you will use.
  4. Create VLAN subinterfaces on the SSID interface, one for each VLAN. Set the VLAN ID of each as appropriate. You can do this on the Network > Interfaces page.
  5. Enable Dynamic VLAN assignment for the SSID. For example, if the SSID interface is "office", enter:
  6. config wireless-controller vap

    edit office

    set dynamic-vlan enable

    end

  7. Create security policies for each VLAN. These policies have a WiFI VLAN subinterface as Incoming Interface and allow traffic to flow to whichever Outgoing Interface these VLAN users will be allowed to access.

MAC-based authentication

Wireless clients can also be supplementally authenticated by MAC address. A RADIUS server stores the allowed MAC address for each client and the wireless controller checks the MAC address independently of other authentication methods.

MAC-based authentication must be configured in the CLI. In the following example, MAC-based authentication is added to an existing access point “vap1” to use RADIUS server hq_radius (configured on the FortiGate):

config wireless-controller vap

edit vap1

set radius-mac-auth enable

set radius-mac-auth-server hq_radius

end

Authenticating guest WiFi users

The FortiOS Guest Management feature enables you to easily add guest accounts to your FortiGate unit. These accounts are authenticate guest WiFi users for temporary access to a WiFi network managed by a FortiGate unit.

To implement guest access, you need to

  1. Go to User & Device > User Groups and create one or more guest user groups.
  2. Go to User & Device > Guest Management to create guest accounts. You can print the guest account credentials or send them to the user as an email or SMS message.
  3. Go to WiFi & Switch Controller > SSID and configure your WiFi SSID to use captive portal authentication. Select the guest user group(s) that you created.

Guest users can log into the WiFi captive portal with their guest account credentials until the account expires. For more detailed information about creating guest accounts, see “Managing Guest Access” in the Authentication chapter of the FortiOS Handbook.

Configuring user authentication

Configuring user authentication

You can perform user authentication when the wireless client joins the wireless network and when the wireless user communicates with another network through a firewall policy. WEP and WPA-Personal security rely on legitimate users knowing the correct key or passphrase for the wireless network. The more users you have, the more likely it is that the key or passphrase will become known to unauthorized people. WPA-Enterprise and captive portal security provide separate credentials for each user. User accounts can be managed through FortiGate user groups or an external RADIUS authentication server.

WPA2 Enterprise authentication

Enterprise authentication can be based on the local FortiGate user database or on a remote RADIUS server. Local authentication is essentially the same for WiFi users as it is for wired users, except that authentication for WiFi users occurs when they associate their device with the AP. Therefore, enterprise authentication must be configured in the SSID. WiFi users can belong to user groups just the same as wired users and security policies will determine which network services they can access.

If your WiFi network uses WPA2 Enterprise authentication verified by a RADIUS server, you need to configure the FortiGate unit to connect to that RADIUS server.

Configuring connection to a RADIUS server - GUI
  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter a Name for the server.
    This name is used in FortiGate configurations. It is not the actual name of the server.
  3. In Primary Server Name/IP, enter the network name or IP address for the server.
  4. In Primary Server Secret, enter the shared secret used to access the server.
  5. Optionally, enter the information for a secondary or backup RADIUS server.
  6. Select OK.
To configure the FortiGate unit to access the RADIUS server - CLI

config user radius

edit exampleRADIUS

set auth-type auto

set server 10.11.102.100

set secret aoewmntiasf

end

To implement WPA2 Enterprise security, you select this server in the SSID security settings. See Configuring user authentication.

To use the RADIUS server for authentication, you can create individual FortiGate user accounts that specify the authentication server instead of a password, and you then add those accounts to a user group. Or, you can add the authentication server to a FortiGate user group, making all accounts on that server members of the user group.

Creating a wireless user group

Most wireless networks require authenticated access. To enable creation of firewall policies specific to WiFi users, you should create at least one WiFi user group. You can add or remove users later. There are two types of user group to consider:

  • A Firewall user group can contain user accounts stored on the FortiGate unit or external authentication servers such as RADIUS that contain and verify user credentials.
  • A Fortinet single sign-on (FSSO) user group is used for integration with Windows Active Directory or Novell eDirectory. The group can contain Windows or Novell user groups who will be permitted access to the wireless LAN.

WiFi single sign-on (WSSO) authentication

WSSO is RADIUS-based authentication that passes the user's user group memberships to the FortiGate. For each user, the RADIUS server must provide user group information in the Fortinet-Group-Name attribute. This information is stored in the server's database. After the user authenticates, security policies provide access to network services based on user groups.

  1. Configure the RADIUS server to return the Fortinet-Group-Name attribute for each user.
  2. Configure the FortiGate to access the RADIUS server, as described in WPA2 Enterprise authentication.
  3. Create firewall user groups on the FortiGate with the same names as the user groups listed in the RADIUS database. Leave the groups empty.
  4. In the SSID choose WPA2-Enterprise authentication. In the Authentication field, select RADIUS Server and choose the RADIUS server that you configured.
  5. Create security policies as needed, using user groups (Source User(s) field) to control access.

When a user authenticates by WSSO, the firewall monitor Monitor > Firewall User Monitor) shows the authentication method as WSSO.

Assigning WiFi users to VLANs dynamically

Some enterprise networks use Virtual LANs (VLANs) to separate traffic. In this environment, to extend network access to WiFi users might appear to require multiple SSIDs. But it is possible to automatically assign each user to their appropriate VLAN from a single SSID. To accomplish this requires RADIUS authentication that passes the appropriate VLAN ID to the FortiGate by RADIUS attributes. Each user’s VLAN assignment is stored in the user database of the RADIUS server.

  1. Configure the RADIUS server to return the following attributes for each user:
    Tunnel-Type (value: VLAN)
    Tunnel-Medium-Type (value: IEEE-802)
    Tunnel_Private-Group-Id (value: the VLAN ID for the user's VLAN)
  2. Configure the FortiGate to access the RADIUS server.
  3. Configure the SSID with WPA2-Enterprise authentication. In the Authentication field, select RADIUS Server and choose the RADIUS server that you will use.
  4. Create VLAN subinterfaces on the SSID interface, one for each VLAN. Set the VLAN ID of each as appropriate. You can do this on the Network > Interfaces page.
  5. Enable Dynamic VLAN assignment for the SSID. For example, if the SSID interface is "office", enter:
  6. config wireless-controller vap

    edit office

    set dynamic-vlan enable

    end

  7. Create security policies for each VLAN. These policies have a WiFI VLAN subinterface as Incoming Interface and allow traffic to flow to whichever Outgoing Interface these VLAN users will be allowed to access.

MAC-based authentication

Wireless clients can also be supplementally authenticated by MAC address. A RADIUS server stores the allowed MAC address for each client and the wireless controller checks the MAC address independently of other authentication methods.

MAC-based authentication must be configured in the CLI. In the following example, MAC-based authentication is added to an existing access point “vap1” to use RADIUS server hq_radius (configured on the FortiGate):

config wireless-controller vap

edit vap1

set radius-mac-auth enable

set radius-mac-auth-server hq_radius

end

Authenticating guest WiFi users

The FortiOS Guest Management feature enables you to easily add guest accounts to your FortiGate unit. These accounts are authenticate guest WiFi users for temporary access to a WiFi network managed by a FortiGate unit.

To implement guest access, you need to

  1. Go to User & Device > User Groups and create one or more guest user groups.
  2. Go to User & Device > Guest Management to create guest accounts. You can print the guest account credentials or send them to the user as an email or SMS message.
  3. Go to WiFi & Switch Controller > SSID and configure your WiFi SSID to use captive portal authentication. Select the guest user group(s) that you created.

Guest users can log into the WiFi captive portal with their guest account credentials until the account expires. For more detailed information about creating guest accounts, see “Managing Guest Access” in the Authentication chapter of the FortiOS Handbook.