Wireless client MAC authentication and MPSK returned through RADIUS 7.0.2
Wireless clients can be authenticated using MAC authentication and Multi Pre-Shared Key (MPSK) against a RADIUS server. The MPSK passphrases can be dynamically passed from the RADIUS server when the client MAC is authenticated by the RADIUS server, instead of statically storing them on the FortiGate. The passphases are cached on the FortiGate for future authentication, with a timeout period configured for each VAP.
The radius-mac-mpsk-auth
and radius-mac-mpsk-timeout
commands are added to the VAP configuration when the security mode is WPA‑Personal:
config wireless-controller vap edit <name> set radius-mac-auth enable set radius-mac-auth-server <server> set mpsk-profile <profile> set radius-mac-mpsk-auth enable set radius-mac-mpsk-timeout <timeout> next end
radius-mac-mpsk-auth {enable | disable} |
Enable/disable RADIUS-based MAC authentication of clients for MPSK authentication (default = disable). |
radius-mac-mpsk-timeout <timeout> |
RADIUS MAC MPSK cache timeout interval, in seconds (1800 - 864000, default = 86400). |
Authentication can happen dynamically, and be offloaded to the RADIUS server. Two pieces of information are needed for authentication: the client MAC address and the passphrase (PSK).
The user registers to the RADIUS server, where the client MAC is stored and a passphrase is generated for the user device or group. When the user connects to the FortiAP SSID using WPA-Personal, the FortiGate wireless controller dynamically authenticates the device with its client MAC address, using RADIUS based MAC authentication. The RADIUS server returns a Tunnel-Password for that user device or group. If the client provided a passphrase that matches the Tunnel-Password, the client will successfully authenticate to the SSID, and be placed into a VLAN if one was specified.
In these examples, the RADIUS server (172.16.200.55) has a record for device MAC F8-E4-E3-D8-5E-AF with Tunnel-Password
111111111111.
In the first example, the client connects to the SSID wifi-ssid.fap.01 in tunnel mode, so the MPSK key is cached on the FortiGate. In the second example, the client connects to the SSID wifi-ssid.fap.02 in bridging mode, so the MPSK key is cached on the FortiAP.
To configure the RADIUS server and MPSK profiles for the examples:
-
Configure the RADIUS server:
config user radius edit "peap" set server "172.16.200.55" set secret ********** next end
-
Configure the MPSK profiles:
config wireless-controller mpsk-profile edit "wifi.fap.01" set ssid "wifi-ssid.fap.01" config mpsk-group edit "g1" config mpsk-key edit "p1" set passphrase ********** set mpsk-schedules "always" next end next end next edit "wifi.fap.02" set ssid "wifi-ssid.fap.02" config mpsk-group edit "g1" config mpsk-key edit "p1" set passphrase ********** set mpsk-schedules "always" next end next end next end
The static passphrase is a dummy passphrase that should have enough complexity that it cannot be guessed. It can be used by the wireless client connect, but is not required as this solution uses dynamic passphrases that are stored on the RADIUS server.
-
After a successful authentication, the PMK values from the RADIUS server are cached on the FortiGate:
show wireless-controller mpsk-profile edit "wifi.fap.01" set ssid "wifi-ssid.fap.01" config mpsk-group edit "g1" config mpsk-key edit "p1" set passphrase ENC CC7uRvXBDCe4...8hPjCk0IYu4GubkQ/DNzKrU8siLowIAvMZ9GasXkUAryFga5jsxA== set pmk ENC ISI6o9moiCjkGN...43eeWB8KnajcEwWBSrHbZauul5qPihVazE7MMjfwb8clh7RL5dzasQ== set mpsk-schedules "always" next end next end next edit "wifi.fap.02" set ssid "wifi-ssid.fap.02" config mpsk-group edit "g1" config mpsk-key edit "p1" set passphrase ENC TIF73K91DV0MxC...6Ob5ZCjU81T/saK6QTjDJVGG8I8NbVcbthgxSq2GrMmrpOcio2Q== set pmk ENC q7eplEVvCS4WO+B2...xFUgpZzxpX+N2U0duCn1rHwpr52ooEnZ1r1/m5aotyENms56wrH6g== set mpsk-schedules "always" next end next end next end
To configure and test the first example, in tunnel mode:
-
Configure the wireless controller VAP:
config wireless-controller vap edit "wifi.fap.01" set ssid "wifi-ssid.fap.01" set radius-mac-auth enable set radius-mac-auth-server "peap" set radius-mac-mpsk-auth enable set radius-mac-mpsk-timeout 1800 set schedule "always" set mpsk-profile "wifi.fap.01" next end
-
On the RADIUS server, set the
Tunnel-Password
attribute in the device's account:F8-E4-E3-D8-5E-AF Cleartext-Password := "F8-E4-E3-D8-5E-AF" Tunnel-Type = "VLAN", Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-Id = 100, Tunnel-Password = "111111111111", Fortinet-Group-Name = group_mac
-
On a wireless endpoint, connect to the wifi.fap.01 SSID using WPA2-personal with the same passphrase as the
Tunnel-Password
, then confirm that the client (MAC f8:e4:e3:d8:5e:af) can connect to the SSID in tunnel mode:# diagnose wireless-controller wlac -d sta online vf=1 wtp=7 rId=2 wlan=wifi.fap.01 vlan_id=0 ip=10.10.80.2 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=fosqa-PowerEdge-R210 user=F8-E4-E3-D8-5E-AF group=group_mac signal=-33 noise=-95 idle=3 bw=1 use=6 chan=149 radio_type=11AX_5G security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2 rad_mac_auth=allow age=12
-
Verify that the RADIUS MPSK is cached on the FortiGate:
# diagnose wpa wpad radius-mac-mpsk wifi-ssid.fap.01 SSID config: SSID(wifi-ssid.fap.01) VAP(wifi.fap.01) refcnt(1) Total RADIUS MPSK cache count: (1) mac-binding: f8:e4:e3:d8:5e:af vlan-id: 100 expiration: 1785 seconds
To configure and test the second example, in bridge mode:
-
Configure the wireless controller VAP:
config wireless-controller vap edit "wifi.fap.02" set ssid "wifi-ssid.fap.02" set radius-mac-auth enable set radius-mac-auth-server "peap" set radius-mac-mpsk-auth enable set radius-mac-mpsk-timeout 1800 set local-standalone enable set local-bridging enable set local-authentication enable set schedule "always" set mpsk-profile "wifi.fap.02" next end
-
On a wireless endpoint, connect to the wifi.fap.02 SSID using WPA2-personal, then confirm that the client (MAC f8:e4:e3:d8:5e:af) can connect to the local-standalone SSID with the same passphrase as the
Tunnel-Password
:FortiAP-231F # sta wlan11 (wifi-ssid.fap.02) client count 1 MAC:f8:e4:e3:d8:5e:af ip:10.100.100.231 ip_proto:dhcp ip_age:74 host:fosqa-PowerEdge-R210 vci: vlanid:0 Auth:Yes channel:149 rate:48Mbps rssi:65dB idle:11s Rx bytes:6095 Tx bytes:1719 Rx rate:87Mbps Tx rate:48Mbps Rx last:11s Tx last:68s AssocID:1 Mode: Normal Flags:1000000b PauseCnt:0
-
Verify that the RADIUS MPSK is cached on the FortiAP:
FortiAP-231F # h_diag radius-mac-mpsk wifi-ssid.fap.02 SSID config: SSID(wifi-ssid.fap.02) VAP(wlan11) refcnt(1) Total RADIUS MPSK cache count: (1) mac-binding: f8:e4:e3:d8:5e:af vlan-id: 100 expiration: 1660 seconds
Dynamic VLAN is not configured on either of the VAPs, so the FortiGate does not use the VLAN passed by the RADIUS server, but still caches it. Consequently, the cache and station statistics show different VLAN IDs. |