Description
This article describes how to ensure granular access for the Wi-Fi’s authenticated users via RADIUS to access specific internal resources within the enterprise infrastructure.
Scope
FortiAP.
Solution
The FortiGate as wireless controller can be set up to manage FortiAPs and to do WPA enterprise authentication.
Allow user access to a single Wi-Fi more granular though can be done with Dynamic VLAN Assignments.
Dynamic VLAN assignment is available for both tunnel and bridge mode.
Tunnel mode as traffic will be centrally managed by the FortiGate.
The RADIUS server is the FortiAuthenticator.
This also may be another RADIUS server that will be able to return the attributes tunnel-type, tunnel-medium-type and tunnel-private-group-ID (IETF 64, 65 and 81 respectively).
Both RADIUS server (FortiAuthenticator) and RADIUS client (FortiGate) will also need to be configured that requests can be sent and accepted from both ends.
On the RADIUS server, configure the user database.
The users of the SSID have to be authenticating against.
This can be remote LDAP users or local users which looks like this on the FortiAuthenticator:
* For Windows environments when users will access the network using their domain accounts and Remote User account an extra step is needed. The WiFi supplicant in windows 10 and later versions by default will use PEAP/MSCHAPv2, so FAC need to be joined in the domain. The extra steps are shown here.
The attribute tunnel-type will need to be set to the string 'VLAN”' tunnel-medium-type will be 'IEEE-802' and the tunnel-private-group-ID will contain the VLAN ID to identify the user traffic .
Create a VLAN interface on the FortiGate matching this VLAN ID.
Other users can be configured in the same way with different VLAN IDs.
This also can be done based on groups.
The important is that the RADIUS attribute configuration above is sent in the successful RADIUS authentication packet access-accept.
FortiGate will evaluate these and match the traffic to the VLAN specified in the tunnel-private-group-IDaccordingly.
Configure the SSID.
The Authentication needs to be done by the remote RADIUS server, in this case selected as FortiAuthenticator.
The 'Dynamic VLAN assignment' will become available (which is required for this setup).
choose between WPA2 enterprise and WPA3 enterprise as in the screenshot.
Note:
If clients do not support WPA3 the connection is not possible. If this is the case, choose WPA2 enterprise is needed.
On The FortiGate a VLAN interface has to be configured on the SSID interface just created.
The VLAN ID here matches the VLAN ID of the Guest user that just has been configured on the FortiAuthenticator (354).
The other options can be configured as needed.
With this interface, create firewall policies from this VLAN interface to destinations.
When authenticating against the newly created 'Guest Wifi', a client will now have to authenticate with the credentials configured on the FortiAuthenticator.
Some clients will additionally ask for a certificate.
Since none was configured above, ignore the certificate validation upon connect.
Result:
The freshly connected client will now receive an address from the VLAN interfaces DHCP servers IP range, 192.168.254.2 in this example.
Traffic from the client will arrive via the 'Guest'-VLAN.
Note:
On older firmwares this is also possible, although some are a little bit different.
Eventually the Dynamic VLAN assignment option is only seen in the CLI:
# config wireless-controller vapA cookbook illustrates this for an older version:
edit Guest-Wifi
set dynamic-vlan enable
next
end
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/21355
