The FortiAuthenticator has to be configured to allow RADIUS clients to make authorization requests to it.
- Go to Authentication > RADIUS Service > Clients and select Create New.
Enter a Name, enter the FortiGate’s IP address, and enter a Secret. Set the Authentication method to Password-only authentication and set Username input format to username@realm.
EAP-TLS should be the only EAP type selected to prevent fallback to a less secure version of authentication if a certificate is not presented by the WiFi client.