|
802.1x defines a way of authenticating access to the port (either a physical port as in a wired Ethernet switch, or a logical port as in a Wireless AP) before allowing access to the network.
The following general steps illustrate the basic approach used by a FortiWiFi-60 configured as an Access Point (AP) and a RADIUS server to authenticate a wireless station.
Without a valid authentication key, an AP inhibits all traffic flow through it.
- When a wireless station (supplicant) comes in range of a wireless AP authenticator (FortiWiFi), the wireless AP issues a challenge to the wireless station.
- Upon receiving the challenge from the FortiAP, the station responds with its identity.
- The FortiAP then forwards the station’s identity on to the RADIUS (authentication) server to initiate authentication services.
- The RADIUS server then requests the credentials for the station, specifying the type of credentials required to confirm the station’s identity.
- The station sends its credentials to the RADIUS server.
- Upon validating the station’s credentials, the RADIUS server transmits an authentication key to the AP. The authentication key is encrypted so that only the AP can access it.
To configure the Radius server, go to User -> Radius and select ' Create New'.
Note.
The default port for Radius traffic is 1812. If the Radius server is using port 1645, use the CLI to change the default Radius port. For example:
# config system global
set radius_port 1645
Configure FortiWiFi-60 in Access Point mode.
Go to Wireless -> Operation Mode -> Access Point -> Security Mode -> WPA_Radius -> Radius Server Name and select the Radius Server name created above.
|
