Fortinet black logo

Administration Guide

Open SSID for device onboarding

Copy Link
Copy Doc ID 825689eb-200d-11e9-b6f6-f8bc1258b856:283020
Download PDF

Open SSID for device onboarding

If you have a Secure SSID that requires a supplicant configuration on the connecting host, the supplicant configuration can be served to the host through an Open SSID. Add the supplicant configuration to one of your Open SSIDs.

  1. Click System > Quick Start.
  2. Select Network Settings > Network Devices from the steps on the left.
  3. Select a device in the Network Devices window.
  4. Click the Wireless Security button at the bottom.
  5. On the SSID Mappings dialog, click the Add button.
  6. Click the drop-down arrow in the SSID Name field and select the Name of the SSID for which you are adding a configuration in the FortiNAC database. These names are read from the wireless device and represent existing SSIDs.
  7. Click the Device Onboarding radio button to select it.
  8. Click Modify next to the RADIUS Secret field and enter the RADIUS Secret configured on the device.
  9. In the Directory Group field select a Directory Group. The connecting user must be a member of this directory group to access the SSID. If you are authenticating through RADIUS instead of LDAP, this option is hidden.
  10. In the Allowed Operating Systems section select one or more operating systems. The connecting host must have one of these operating systems installed to connect to this SSID.
  11. In the Portal Configuration field select the captive portal that should be presented to the user when the host connects to this SSID. If you are not using multiple portals or you do not have a specific portal for this group of guests, select Use Default.
  12. In the Access User Group field select the production User Group to be used for hosts accessing the Secure SSID. These are read from the wireless device and represent existing User Groups that have been configured on the wireless device.
  13. In the Isolation User Group field select the User Group to be used to isolate unknown hosts. These User Groups are read from the wireless device and represent existing User Groups that have been configured on the wireless device.

    Note

    The Supplicant Configuration field is optional. If you select a Supplicant Configuration that configuration is installed on the connecting host, allowing the host to connect to a secure SSID. See the table below for settings and Supplicant configurations for additional information.

  14. Select a Supplicant Configuration from the drop-down menu. You can use the icons next to the Supplicant Configuration field to add a new configuration, delete a configuration or modify the configuration shown in the drop-down menu. Note that if you modify this configuration, it is modified for all features that make use of it.
  15. To add a supplicant configuration, click the Add button next to the Supplicant Configuration field.

  16. In the Name field, enter a name for this Supplicant Configuration.
  17. In the SSID field, select the SSID that requires that a Supplicant be installed and configured on the connecting host.
  18. In the Security field select a type from the drop-down list. Options include: Open, WEP, WPA, WPA2, WEP Enterprise, WPA Enterprise, WPA2 Enterprise.
  19. Click in the Password field to open the Password pop-up. This is the Pre-Shared Key. Enter the key twice to confirm that it is correct and click OK. The Password field does not display if Open, WPA2 Enterprise or WPA Enterprise is selected in the Security field.
  20. Click in the Cipher field and select AES, NONE or TKIP.
  21. In the EAP Type field PEAP is the only option. EAP type does not display when Open, WEP or WPA is selected in the Security field.
  22. The Validate Server Certificate field applies only to Windows 7 and higher hosts:

    • If disabled, it disables the Validate Server Certificate setting on the host and any certificate will be accepted.

    • If enabled, the host validates the Certificate with the list of Trusted Root Certificate Authorities listed in the host's Certificate Manager. If the Certificate Authority is not listed on the host, the user may have to connect to the secure SSID manually.

  23. If you have enabled WEP Enterprise, WPA Enterprise or WPA2 Enterprise the CA Certificate field is displayed. Browse to the CA or Root Certificate from the certificate authority that issued the SSL Certificate used on your RADIUS server. Select the file and click Open.
  24. The CA Fingerprint field is displayed and automatically populated after a CA or Root Certificate is uploaded and the Supplicant Configuration is saved.
  25. The Note field is optional.
  26. Click OK to save the Supplicant Configuration.
  27. In the Primary RADIUS field select the RADIUS server that FortiNAC should use for authentication. If no RADIUS servers are configured, click the New button to add one. Only displays if a Supplicant Configuration has been selected.
  28. In the Secondary RADIUS field select the RADIUS server to be used in the event that the Primary RADIUS cannot be accessed. This field is optional.
  29. Click OK to save the SSID configuration.
Open SSID settings

Field

Description

SSID Name

Network name of the SSID configuration that includes all of the settings for the SSID, such as encryption method or VLANs.

Mapping Type

  • Device Onboarding—Indicates that this SSID Mapping will be used by known network users to register devices.
  • Guest Management—Indicates that this SSID Mapping will be used by guests to access the network via a guest account.

RADIUS Secret

Encryption key used by the RADIUS server to send authentication information. The RADIUS secret must be the same in FortiNAC RADIUS settings, on the SSID configuration and on the device itself.

Directory Group

Connecting user must be a member of the selected directory group to access this SSID. If you are authenticating through RADIUS instead of LDAP, this option is hidden.

Allowed Operating
Systems

Allows or denies access to an SSID based on the operating system of the connecting host. Options include:

  • Windows
  • macOS
  • iOS
  • Android
  • RIM
  • Windows Mobile

Portal Configuration

Name of the Portal that will be applied to hosts connecting via this SSID.

Access User Group

Name or number of the Network Access identifier where a known host or device will be placed, such as, User Group, VLAN ID or VLAN Name.

Isolation User Group

Name or number of the Network Access identifier, such as, User Group, VLAN ID or VLAN Name, for the Isolation VLAN where an unknown host or device will be placed.

Supplicant Configuration

Contains the configuration for the SSID, Security Settings and password if required. This is optional. See the table below and Supplicant configurations.

Primary RADIUS Server

RADIUS server that will be used by FortiNAC for authentication. Only displays if a Supplicant Configuration has been selected.

Secondary RADIUS Server

Secondary RADIUS server that will be used by FortiNAC for authentication if the Primary RADIUS server cannot be reached.

Supplicant configuration settings

Field

Definition

Name

User defined name for the Configuration.

SSID

Name of the SSID being configured. This is not necessarily the SSID to which the host is connected. However, the agent will attempt to move the host to this SSID when the configuration is applied.

Note

A host can have Supplicant Configurations stored for multiple SSIDs.

Security

Indicates the type of encryption that will be used for connections to this SSID. Options include:

  • Open
  • WEP (PSK)
  • WPA (PSK)
  • WPA2 (PSK)
  • WEP Enterprise (PEAP)
  • WPA Enterprise (PEAP)
  • WPA2 Enterprise (PEAP)
Note

WPA Enterprise and WPA2 Enterprise are limited to PEAP-MSCHAPv2.

Password

Opens the Password pop-up. This is the Pre-Shared Key. Enter the key twice to confirm that it is correct and click OK. The Password field does not display if Open, WPA2 Enterprise or WPA Enterprise is selected in the Security field.

Note

The XML predefined characters ' " < > & are not supported.

Cipher

Encryption/decryption method used in conjunction with the information in the Security field to secure this connection. Options include:

  • AES
  • NONE
  • TKIP

EAP Type

Currently only PEAP is supported.

Validate Server Certificate

Applies only to Windows 7 and higher hosts. Default = Disabled.

If disabled, it disables the Validate Server Certificate setting on the host and any certificate will be accepted.

If enabled, the host validates the Certificate with the list of Trusted Root Certificate Authorities listed in the host's Certificate Manager. If the Certificate Authority is not listed on the host, the user may have to connect to the secure SSID manually.

CA Fingerprint

Fingerprint parsed from the CA or Root Certificate from the certificate authority that issued the SSL Certificate used to secure the RADIUS server. This field does not display until after the certificate has been uploaded and the Supplicant Configuration has been saved.

CA Certificate

This field is only displayed if you select WEP Enterprise, WPA Enterprise or WPA2 Enterprise in the Security field. Use the Choose File button to browse to and select the CA or Root certificate from the certificate authority that issued the SSL Certificate used to secure the RADIUS server. CA or Root certificates can be downloaded from the certificate authority web site. Either PEM or binary format can be used.

Note

User specified note field.

Open SSID for device onboarding

If you have a Secure SSID that requires a supplicant configuration on the connecting host, the supplicant configuration can be served to the host through an Open SSID. Add the supplicant configuration to one of your Open SSIDs.

  1. Click System > Quick Start.
  2. Select Network Settings > Network Devices from the steps on the left.
  3. Select a device in the Network Devices window.
  4. Click the Wireless Security button at the bottom.
  5. On the SSID Mappings dialog, click the Add button.
  6. Click the drop-down arrow in the SSID Name field and select the Name of the SSID for which you are adding a configuration in the FortiNAC database. These names are read from the wireless device and represent existing SSIDs.
  7. Click the Device Onboarding radio button to select it.
  8. Click Modify next to the RADIUS Secret field and enter the RADIUS Secret configured on the device.
  9. In the Directory Group field select a Directory Group. The connecting user must be a member of this directory group to access the SSID. If you are authenticating through RADIUS instead of LDAP, this option is hidden.
  10. In the Allowed Operating Systems section select one or more operating systems. The connecting host must have one of these operating systems installed to connect to this SSID.
  11. In the Portal Configuration field select the captive portal that should be presented to the user when the host connects to this SSID. If you are not using multiple portals or you do not have a specific portal for this group of guests, select Use Default.
  12. In the Access User Group field select the production User Group to be used for hosts accessing the Secure SSID. These are read from the wireless device and represent existing User Groups that have been configured on the wireless device.
  13. In the Isolation User Group field select the User Group to be used to isolate unknown hosts. These User Groups are read from the wireless device and represent existing User Groups that have been configured on the wireless device.

    Note

    The Supplicant Configuration field is optional. If you select a Supplicant Configuration that configuration is installed on the connecting host, allowing the host to connect to a secure SSID. See the table below for settings and Supplicant configurations for additional information.

  14. Select a Supplicant Configuration from the drop-down menu. You can use the icons next to the Supplicant Configuration field to add a new configuration, delete a configuration or modify the configuration shown in the drop-down menu. Note that if you modify this configuration, it is modified for all features that make use of it.
  15. To add a supplicant configuration, click the Add button next to the Supplicant Configuration field.

  16. In the Name field, enter a name for this Supplicant Configuration.
  17. In the SSID field, select the SSID that requires that a Supplicant be installed and configured on the connecting host.
  18. In the Security field select a type from the drop-down list. Options include: Open, WEP, WPA, WPA2, WEP Enterprise, WPA Enterprise, WPA2 Enterprise.
  19. Click in the Password field to open the Password pop-up. This is the Pre-Shared Key. Enter the key twice to confirm that it is correct and click OK. The Password field does not display if Open, WPA2 Enterprise or WPA Enterprise is selected in the Security field.
  20. Click in the Cipher field and select AES, NONE or TKIP.
  21. In the EAP Type field PEAP is the only option. EAP type does not display when Open, WEP or WPA is selected in the Security field.
  22. The Validate Server Certificate field applies only to Windows 7 and higher hosts:

    • If disabled, it disables the Validate Server Certificate setting on the host and any certificate will be accepted.

    • If enabled, the host validates the Certificate with the list of Trusted Root Certificate Authorities listed in the host's Certificate Manager. If the Certificate Authority is not listed on the host, the user may have to connect to the secure SSID manually.

  23. If you have enabled WEP Enterprise, WPA Enterprise or WPA2 Enterprise the CA Certificate field is displayed. Browse to the CA or Root Certificate from the certificate authority that issued the SSL Certificate used on your RADIUS server. Select the file and click Open.
  24. The CA Fingerprint field is displayed and automatically populated after a CA or Root Certificate is uploaded and the Supplicant Configuration is saved.
  25. The Note field is optional.
  26. Click OK to save the Supplicant Configuration.
  27. In the Primary RADIUS field select the RADIUS server that FortiNAC should use for authentication. If no RADIUS servers are configured, click the New button to add one. Only displays if a Supplicant Configuration has been selected.
  28. In the Secondary RADIUS field select the RADIUS server to be used in the event that the Primary RADIUS cannot be accessed. This field is optional.
  29. Click OK to save the SSID configuration.
Open SSID settings

Field

Description

SSID Name

Network name of the SSID configuration that includes all of the settings for the SSID, such as encryption method or VLANs.

Mapping Type

  • Device Onboarding—Indicates that this SSID Mapping will be used by known network users to register devices.
  • Guest Management—Indicates that this SSID Mapping will be used by guests to access the network via a guest account.

RADIUS Secret

Encryption key used by the RADIUS server to send authentication information. The RADIUS secret must be the same in FortiNAC RADIUS settings, on the SSID configuration and on the device itself.

Directory Group

Connecting user must be a member of the selected directory group to access this SSID. If you are authenticating through RADIUS instead of LDAP, this option is hidden.

Allowed Operating
Systems

Allows or denies access to an SSID based on the operating system of the connecting host. Options include:

  • Windows
  • macOS
  • iOS
  • Android
  • RIM
  • Windows Mobile

Portal Configuration

Name of the Portal that will be applied to hosts connecting via this SSID.

Access User Group

Name or number of the Network Access identifier where a known host or device will be placed, such as, User Group, VLAN ID or VLAN Name.

Isolation User Group

Name or number of the Network Access identifier, such as, User Group, VLAN ID or VLAN Name, for the Isolation VLAN where an unknown host or device will be placed.

Supplicant Configuration

Contains the configuration for the SSID, Security Settings and password if required. This is optional. See the table below and Supplicant configurations.

Primary RADIUS Server

RADIUS server that will be used by FortiNAC for authentication. Only displays if a Supplicant Configuration has been selected.

Secondary RADIUS Server

Secondary RADIUS server that will be used by FortiNAC for authentication if the Primary RADIUS server cannot be reached.

Supplicant configuration settings

Field

Definition

Name

User defined name for the Configuration.

SSID

Name of the SSID being configured. This is not necessarily the SSID to which the host is connected. However, the agent will attempt to move the host to this SSID when the configuration is applied.

Note

A host can have Supplicant Configurations stored for multiple SSIDs.

Security

Indicates the type of encryption that will be used for connections to this SSID. Options include:

  • Open
  • WEP (PSK)
  • WPA (PSK)
  • WPA2 (PSK)
  • WEP Enterprise (PEAP)
  • WPA Enterprise (PEAP)
  • WPA2 Enterprise (PEAP)
Note

WPA Enterprise and WPA2 Enterprise are limited to PEAP-MSCHAPv2.

Password

Opens the Password pop-up. This is the Pre-Shared Key. Enter the key twice to confirm that it is correct and click OK. The Password field does not display if Open, WPA2 Enterprise or WPA Enterprise is selected in the Security field.

Note

The XML predefined characters ' " < > & are not supported.

Cipher

Encryption/decryption method used in conjunction with the information in the Security field to secure this connection. Options include:

  • AES
  • NONE
  • TKIP

EAP Type

Currently only PEAP is supported.

Validate Server Certificate

Applies only to Windows 7 and higher hosts. Default = Disabled.

If disabled, it disables the Validate Server Certificate setting on the host and any certificate will be accepted.

If enabled, the host validates the Certificate with the list of Trusted Root Certificate Authorities listed in the host's Certificate Manager. If the Certificate Authority is not listed on the host, the user may have to connect to the secure SSID manually.

CA Fingerprint

Fingerprint parsed from the CA or Root Certificate from the certificate authority that issued the SSL Certificate used to secure the RADIUS server. This field does not display until after the certificate has been uploaded and the Supplicant Configuration has been saved.

CA Certificate

This field is only displayed if you select WEP Enterprise, WPA Enterprise or WPA2 Enterprise in the Security field. Use the Choose File button to browse to and select the CA or Root certificate from the certificate authority that issued the SSL Certificate used to secure the RADIUS server. CA or Root certificates can be downloaded from the certificate authority web site. Either PEM or binary format can be used.

Note

User specified note field.