Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

802.1x environments

When using 802.1x in a FortiNAC managed environment, it is necessary to configure the network devices, FortiNAC and the production RADIUS server(s) so that all can communicate successfully. This requires at a minimum that all three components have the same RADIUS secret key value defined, since FortiNAC does not modify 802.1x packets as they pass from the network device through to the terminating RADIUS server. The same restriction exists when using Domain mapping.

For instance, many wireless devices that support 802.1x allow a RADIUS server definition for each configured SSID. In such an environment, if two users are connected to the same SSID but to different domains, the RADIUS secret used in both authentication requests would be identical. The users are both using the same RADIUS profile on the wireless device. Assuming FortiNAC were configured to use different terminating RADIUS servers for each domain, it would forward the requests and both servers would need to use the same secret value in order to validate the packets.

802.1x environments

When using 802.1x in a FortiNAC managed environment, it is necessary to configure the network devices, FortiNAC and the production RADIUS server(s) so that all can communicate successfully. This requires at a minimum that all three components have the same RADIUS secret key value defined, since FortiNAC does not modify 802.1x packets as they pass from the network device through to the terminating RADIUS server. The same restriction exists when using Domain mapping.

For instance, many wireless devices that support 802.1x allow a RADIUS server definition for each configured SSID. In such an environment, if two users are connected to the same SSID but to different domains, the RADIUS secret used in both authentication requests would be identical. The users are both using the same RADIUS profile on the wireless device. Assuming FortiNAC were configured to use different terminating RADIUS servers for each domain, it would forward the requests and both servers would need to use the same secret value in order to validate the packets.