When using 802.1x in a FortiNAC managed environment, it is necessary to configure the following components so that all can communicate successfully:
- Network devices
- Production RADIUS server(s)
All the above components must have the same RADIUS secret key value defined. FortiNAC does not modify 802.1x packets as they pass from the network device through to the terminating RADIUS server.
The same requirement exists when using Domain mapping. For instance, many wireless devices that support 802.1x allow a RADIUS server definition for each configured SSID. In such an environment, if two users are connected to the same SSID but to different domains, the RADIUS secret used in both authentication requests would be identical. The users are both using the same RADIUS profile on the wireless device. Assuming FortiNAC were configured to use different terminating RADIUS servers for each domain, it would forward the requests and both servers would need to use the same secret value in order to validate the packets.