Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

Wireless client MAC authentication and MPSK returned through RADIUS 7.0.2

Wireless clients can be authenticated using MAC authentication and Multiphase Shift Keying (MPSK) against a RADIUS server. The MPSK passphrases can be dynamically passed from the RADIUS server when the client MAC is authenticated by the RADIUS server, instead of statically storing them on the FortiGate. The passphases are cached on the FortiGate for future authentication, with a timeout period configured for each VAP.

The radius-mac-mpsk-auth and radius-mac-mpsk-timeout commands are added to the VAP configuration when the security mode is WPA‑Personal:

config wireless-controller vap
    edit <name>
        set radius-mac-auth enable
        set radius-mac-auth-server <server>
        set mpsk-profile <profile>
        set radius-mac-mpsk-auth enable
        set radius-mac-mpsk-timeout <timeout>
    next
end

radius-mac-mpsk-auth {enable | disable}

Enable/disable RADIUS-based MAC authentication of clients for MPSK authentication (default = disable).

radius-mac-mpsk-timeout <timeout>

RADIUS MAC MPSK cache timeout interval, in seconds (1800 - 864000, default = 86400).

Authentication can happen dynamically, and be offloaded to the RADIUS server. Two pieces of information are needed for authentication: the client MAC address and the passphrase (PSK).

The user registers to the RADIUS server, where the client MAC is stored and a passphrase is generated for the user device or group. When the user connects to the FortiAP SSID using WPA-Personal, the FortiGate wireless controller dynamically authenticates the device with its client MAC address, using RADIUS based MAC authentication. The RADIUS server returns a Tunnel-Password for that user device or group. If the client provided a passphrase that matches the Tunnel-Password, the client will successfully authenticate to the SSID, and be placed into a VLAN if one was specified.

In these examples, the RADIUS server (172.16.200.55) has a record for device MAC F8-E4-E3-D8-5E-AF with Tunnel-Password 111111111111.

In the first example, the client connects to the SSID wifi-ssid.fap.01 in tunnel mode, so the MPSK key is cached on the FortiGate. In the second example, the client connects to the SSID wifi-ssid.fap.02 in bridging mode, so the MPSK key is cached on the FortiAP.

To configure the RADIUS server and MPSK profiles for the examples:
  1. Configure the RADIUS server:

    config user radius
        edit "peap"
            set server "172.16.200.55"
            set secret **********
        next
    end
  2. Configure the MPSK profiles:

    config wireless-controller mpsk-profile
        edit "wifi.fap.01"
            set ssid "wifi-ssid.fap.01"
            config mpsk-group
                edit "g1"
                    config mpsk-key
                        edit "p1"
                            set passphrase **********
                            set mpsk-schedules "always"
                        next
                    end
                next
            end
        next
        edit "wifi.fap.02"
            set ssid "wifi-ssid.fap.02"
            config mpsk-group
                edit "g1"
                    config mpsk-key
                        edit "p1"
                            set passphrase **********
                            set mpsk-schedules "always"
                        next
                    end
                next
            end
        next
    end

    The static passphrase is a dummy passphrase that should have enough complexity that it cannot be guessed. It can be used by the wireless client connect, but is not required as this solution uses dynamic passphrases that are stored on the RADIUS server.

  3. After a successful authentication, the PMK values from the RADIUS server are cached on the FortiGate:

    show wireless-controller mpsk-profile
        edit "wifi.fap.01"
            set ssid "wifi-ssid.fap.01"
            config mpsk-group
                edit "g1"
                    config mpsk-key
                        edit "p1"
                            set passphrase ENC CC7uRvXBDCe4...8hPjCk0IYu4GubkQ/DNzKrU8siLowIAvMZ9GasXkUAryFga5jsxA==
                            set pmk ENC ISI6o9moiCjkGN...43eeWB8KnajcEwWBSrHbZauul5qPihVazE7MMjfwb8clh7RL5dzasQ==
                            set mpsk-schedules "always"
                        next
                    end
                next
            end
        next
        edit "wifi.fap.02"
            set ssid "wifi-ssid.fap.02"
            config mpsk-group
                edit "g1"
                    config mpsk-key
                        edit "p1"
                            set passphrase ENC TIF73K91DV0MxC...6Ob5ZCjU81T/saK6QTjDJVGG8I8NbVcbthgxSq2GrMmrpOcio2Q==
                            set pmk ENC q7eplEVvCS4WO+B2...xFUgpZzxpX+N2U0duCn1rHwpr52ooEnZ1r1/m5aotyENms56wrH6g==
                            set mpsk-schedules "always"
                        next
                    end
                next
            end
        next
    end
To configure and test the first example, in tunnel mode:
  1. Configure the wireless controller VAP:

    config wireless-controller vap
        edit "wifi.fap.01"
            set ssid "wifi-ssid.fap.01"
            set radius-mac-auth enable
            set radius-mac-auth-server "peap"
            set radius-mac-mpsk-auth enable
            set radius-mac-mpsk-timeout 1800
            set schedule "always"
            set mpsk-profile "wifi.fap.01"
        next
    end
  2. On the RADIUS server, set the Tunnel-Password attribute in the device's account:

    F8-E4-E3-D8-5E-AF Cleartext-Password := "F8-E4-E3-D8-5E-AF"
                      Tunnel-Type = "VLAN",
                      Tunnel-Medium-Type = "IEEE-802",
                      Tunnel-Private-Group-Id = 100,
                      Tunnel-Password = "111111111111",
                      Fortinet-Group-Name = group_mac
  3. On a wireless endpoint, connect to the wifi.fap.01 SSID using WPA2-personal with the same passphrase as the Tunnel-Password, then confirm that the client (MAC f8:e4:e3:d8:5e:af) can connect to the SSID in tunnel mode:

    # diagnose wireless-controller wlac -d sta online
       vf=1 wtp=7 rId=2 wlan=wifi.fap.01 vlan_id=0 ip=10.10.80.2 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=fosqa-PowerEdge-R210 user=F8-E4-E3-D8-5E-AF group=group_mac signal=-33 noise=-95 idle=3 bw=1 use=6 chan=149 radio_type=11AX_5G security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2
                             rad_mac_auth=allow  age=12
  4. Verify that the RADIUS MPSK is cached on the FortiGate:

    # diagnose wpa wpad radius-mac-mpsk wifi-ssid.fap.01
    SSID config: SSID(wifi-ssid.fap.01) VAP(wifi.fap.01) refcnt(1)
    Total RADIUS MPSK cache count: (1)
                mac-binding: f8:e4:e3:d8:5e:af
                vlan-id: 100
                expiration: 1785 seconds
To configure and test the second example, in bridge mode:
  1. Configure the wireless controller VAP:

    config wireless-controller vap
        edit "wifi.fap.02"
            set ssid "wifi-ssid.fap.02"
            set radius-mac-auth enable
            set radius-mac-auth-server "peap"
            set radius-mac-mpsk-auth enable
            set radius-mac-mpsk-timeout 1800
            set local-standalone enable
            set local-bridging enable
            set local-authentication enable
            set schedule "always"
            set mpsk-profile "wifi.fap.02"
        next
    end
  2. On a wireless endpoint, connect to the wifi.fap.02 SSID using WPA2-personal, then confirm that the client (MAC f8:e4:e3:d8:5e:af) can connect to the local-standalone SSID with the same passphrase as the Tunnel-Password:

    FortiAP-231F # sta
    wlan11 (wifi-ssid.fap.02) client count 1
        MAC:f8:e4:e3:d8:5e:af ip:10.100.100.231 ip_proto:dhcp ip_age:74 host:fosqa-PowerEdge-R210 vci:
            vlanid:0 Auth:Yes channel:149 rate:48Mbps rssi:65dB idle:11s
            Rx bytes:6095 Tx bytes:1719 Rx rate:87Mbps Tx rate:48Mbps Rx last:11s Tx last:68s
            AssocID:1 Mode:  Normal Flags:1000000b PauseCnt:0
  3. Verify that the RADIUS MPSK is cached on the FortiAP:

    FortiAP-231F # h_diag radius-mac-mpsk wifi-ssid.fap.02
    SSID config: SSID(wifi-ssid.fap.02) VAP(wlan11) refcnt(1)
    Total RADIUS MPSK cache count: (1)
                mac-binding: f8:e4:e3:d8:5e:af
                vlan-id: 100
                expiration: 1660 seconds
Note

Dynamic VLAN is not configured on either of the VAPs, so the FortiGate does not use the VLAN passed by the RADIUS server, but still caches it. Consequently, the cache and station statistics show different VLAN IDs.

Wireless client MAC authentication and MPSK returned through RADIUS 7.0.2

Wireless clients can be authenticated using MAC authentication and Multiphase Shift Keying (MPSK) against a RADIUS server. The MPSK passphrases can be dynamically passed from the RADIUS server when the client MAC is authenticated by the RADIUS server, instead of statically storing them on the FortiGate. The passphases are cached on the FortiGate for future authentication, with a timeout period configured for each VAP.

The radius-mac-mpsk-auth and radius-mac-mpsk-timeout commands are added to the VAP configuration when the security mode is WPA‑Personal:

config wireless-controller vap
    edit <name>
        set radius-mac-auth enable
        set radius-mac-auth-server <server>
        set mpsk-profile <profile>
        set radius-mac-mpsk-auth enable
        set radius-mac-mpsk-timeout <timeout>
    next
end

radius-mac-mpsk-auth {enable | disable}

Enable/disable RADIUS-based MAC authentication of clients for MPSK authentication (default = disable).

radius-mac-mpsk-timeout <timeout>

RADIUS MAC MPSK cache timeout interval, in seconds (1800 - 864000, default = 86400).

Authentication can happen dynamically, and be offloaded to the RADIUS server. Two pieces of information are needed for authentication: the client MAC address and the passphrase (PSK).

The user registers to the RADIUS server, where the client MAC is stored and a passphrase is generated for the user device or group. When the user connects to the FortiAP SSID using WPA-Personal, the FortiGate wireless controller dynamically authenticates the device with its client MAC address, using RADIUS based MAC authentication. The RADIUS server returns a Tunnel-Password for that user device or group. If the client provided a passphrase that matches the Tunnel-Password, the client will successfully authenticate to the SSID, and be placed into a VLAN if one was specified.

In these examples, the RADIUS server (172.16.200.55) has a record for device MAC F8-E4-E3-D8-5E-AF with Tunnel-Password 111111111111.

In the first example, the client connects to the SSID wifi-ssid.fap.01 in tunnel mode, so the MPSK key is cached on the FortiGate. In the second example, the client connects to the SSID wifi-ssid.fap.02 in bridging mode, so the MPSK key is cached on the FortiAP.

To configure the RADIUS server and MPSK profiles for the examples:
  1. Configure the RADIUS server:

    config user radius
        edit "peap"
            set server "172.16.200.55"
            set secret **********
        next
    end
  2. Configure the MPSK profiles:

    config wireless-controller mpsk-profile
        edit "wifi.fap.01"
            set ssid "wifi-ssid.fap.01"
            config mpsk-group
                edit "g1"
                    config mpsk-key
                        edit "p1"
                            set passphrase **********
                            set mpsk-schedules "always"
                        next
                    end
                next
            end
        next
        edit "wifi.fap.02"
            set ssid "wifi-ssid.fap.02"
            config mpsk-group
                edit "g1"
                    config mpsk-key
                        edit "p1"
                            set passphrase **********
                            set mpsk-schedules "always"
                        next
                    end
                next
            end
        next
    end

    The static passphrase is a dummy passphrase that should have enough complexity that it cannot be guessed. It can be used by the wireless client connect, but is not required as this solution uses dynamic passphrases that are stored on the RADIUS server.

  3. After a successful authentication, the PMK values from the RADIUS server are cached on the FortiGate:

    show wireless-controller mpsk-profile
        edit "wifi.fap.01"
            set ssid "wifi-ssid.fap.01"
            config mpsk-group
                edit "g1"
                    config mpsk-key
                        edit "p1"
                            set passphrase ENC CC7uRvXBDCe4...8hPjCk0IYu4GubkQ/DNzKrU8siLowIAvMZ9GasXkUAryFga5jsxA==
                            set pmk ENC ISI6o9moiCjkGN...43eeWB8KnajcEwWBSrHbZauul5qPihVazE7MMjfwb8clh7RL5dzasQ==
                            set mpsk-schedules "always"
                        next
                    end
                next
            end
        next
        edit "wifi.fap.02"
            set ssid "wifi-ssid.fap.02"
            config mpsk-group
                edit "g1"
                    config mpsk-key
                        edit "p1"
                            set passphrase ENC TIF73K91DV0MxC...6Ob5ZCjU81T/saK6QTjDJVGG8I8NbVcbthgxSq2GrMmrpOcio2Q==
                            set pmk ENC q7eplEVvCS4WO+B2...xFUgpZzxpX+N2U0duCn1rHwpr52ooEnZ1r1/m5aotyENms56wrH6g==
                            set mpsk-schedules "always"
                        next
                    end
                next
            end
        next
    end
To configure and test the first example, in tunnel mode:
  1. Configure the wireless controller VAP:

    config wireless-controller vap
        edit "wifi.fap.01"
            set ssid "wifi-ssid.fap.01"
            set radius-mac-auth enable
            set radius-mac-auth-server "peap"
            set radius-mac-mpsk-auth enable
            set radius-mac-mpsk-timeout 1800
            set schedule "always"
            set mpsk-profile "wifi.fap.01"
        next
    end
  2. On the RADIUS server, set the Tunnel-Password attribute in the device's account:

    F8-E4-E3-D8-5E-AF Cleartext-Password := "F8-E4-E3-D8-5E-AF"
                      Tunnel-Type = "VLAN",
                      Tunnel-Medium-Type = "IEEE-802",
                      Tunnel-Private-Group-Id = 100,
                      Tunnel-Password = "111111111111",
                      Fortinet-Group-Name = group_mac
  3. On a wireless endpoint, connect to the wifi.fap.01 SSID using WPA2-personal with the same passphrase as the Tunnel-Password, then confirm that the client (MAC f8:e4:e3:d8:5e:af) can connect to the SSID in tunnel mode:

    # diagnose wireless-controller wlac -d sta online
       vf=1 wtp=7 rId=2 wlan=wifi.fap.01 vlan_id=0 ip=10.10.80.2 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=fosqa-PowerEdge-R210 user=F8-E4-E3-D8-5E-AF group=group_mac signal=-33 noise=-95 idle=3 bw=1 use=6 chan=149 radio_type=11AX_5G security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=2
                             rad_mac_auth=allow  age=12
  4. Verify that the RADIUS MPSK is cached on the FortiGate:

    # diagnose wpa wpad radius-mac-mpsk wifi-ssid.fap.01
    SSID config: SSID(wifi-ssid.fap.01) VAP(wifi.fap.01) refcnt(1)
    Total RADIUS MPSK cache count: (1)
                mac-binding: f8:e4:e3:d8:5e:af
                vlan-id: 100
                expiration: 1785 seconds
To configure and test the second example, in bridge mode:
  1. Configure the wireless controller VAP:

    config wireless-controller vap
        edit "wifi.fap.02"
            set ssid "wifi-ssid.fap.02"
            set radius-mac-auth enable
            set radius-mac-auth-server "peap"
            set radius-mac-mpsk-auth enable
            set radius-mac-mpsk-timeout 1800
            set local-standalone enable
            set local-bridging enable
            set local-authentication enable
            set schedule "always"
            set mpsk-profile "wifi.fap.02"
        next
    end
  2. On a wireless endpoint, connect to the wifi.fap.02 SSID using WPA2-personal, then confirm that the client (MAC f8:e4:e3:d8:5e:af) can connect to the local-standalone SSID with the same passphrase as the Tunnel-Password:

    FortiAP-231F # sta
    wlan11 (wifi-ssid.fap.02) client count 1
        MAC:f8:e4:e3:d8:5e:af ip:10.100.100.231 ip_proto:dhcp ip_age:74 host:fosqa-PowerEdge-R210 vci:
            vlanid:0 Auth:Yes channel:149 rate:48Mbps rssi:65dB idle:11s
            Rx bytes:6095 Tx bytes:1719 Rx rate:87Mbps Tx rate:48Mbps Rx last:11s Tx last:68s
            AssocID:1 Mode:  Normal Flags:1000000b PauseCnt:0
  3. Verify that the RADIUS MPSK is cached on the FortiAP:

    FortiAP-231F # h_diag radius-mac-mpsk wifi-ssid.fap.02
    SSID config: SSID(wifi-ssid.fap.02) VAP(wlan11) refcnt(1)
    Total RADIUS MPSK cache count: (1)
                mac-binding: f8:e4:e3:d8:5e:af
                vlan-id: 100
                expiration: 1660 seconds
Note

Dynamic VLAN is not configured on either of the VAPs, so the FortiGate does not use the VLAN passed by the RADIUS server, but still caches it. Consequently, the cache and station statistics show different VLAN IDs.