Fortinet black logo

Cookbook

WiFi with WSSO using Windows NPS and Attributes

Copy Link
Copy Doc ID 598118ae-ea1f-11e9-8977-00505692583a:640488
Download PDF

WiFi with WSSO using Windows NPS and Attributes

This is an example of wireless single sign-on (WSSO) with a FortiGate. The WiFi users are students at a school. They belong to a Windows Active Directory (AD) group called WiFiAccess. The Network Policy Server (NPS) or RADIUS server performs user authentication and passes the WiFi group attribute to the FortiGate so that the appropriate security policy is applied.

There is an alternative way to setup WiFi with WSSO. To learn more about it, see WiFi with WSSO using Windows NPS and FortiGate Groups

1. Registering the FortiGate as a RADIUS client on NPS

From the NPS, right click on RADIUS Clients, and create an entry for the FortiGate. Enter the FortiGate’s IP address. Enter the Shared secret (password).

2. Creating a Connection Request Policy

Right click Connection Request Policies under Policies and select New. Leave default values for Overview and Settings tab. Under Conditions tab, enter Client IPv4 Address as the FortiGate’s IP address.

3. Creating a Network Policy

Right click Network Policies under Policies and selectNew to create a new policy. Leave default values in Overview tab. In Conditions tab, click on Add, select Windows Group, then select Add. Finally Add Groups, then enter WiFiAccess, and select OK.

In Constraints tab, under Authentication Methods, click Add, then select Microsoft: Protected EAP (PEAP) then OK. Next select Microsoft Encrypted Authentication version 2 (MS-CHAP-v2), and finally select User can change password after it has expired and select OK.

In Settings tab, go to RADIUS Attributes > Vendor Specific, then click Add, select Custom under Vendor and Vendor Specific under Attributes select Add. On Attribute Information window, click Add, type 12356 next to Enter Vendor Code, next select Yes. It conforms. Click on Configure Attribute and a new window pops up, on Vendor-assigned attribute number enter 1, on Attribute format select String, and in Attribute value enter WiFi and select OK.

4. Configuring FortiGate to use the RADIUS server

On the FortiGate, go to User & Device > RADIUS Servers. Select Create New DC-RADIUS. Enter the Domain Controller IP address and the Server Secret that you entered on NPS. Optionally, you can click Test Connectivity. Enter a RADIUS user’s ID and password. The result should be “Successful”.

5. Configuring a user group on the FortiGate

Go to User & Device > User Groups. Create a group that matches the WiFi RADIUS attribute. Do not add any members or remote servers.

6. Creating an SSID with RADIUS authentication

Go to WiFi & Switch Controller > SSID. Create an SSID and set up DHCP for clients.

Set WPA2-Enterprise with RADIUS Server authentication, and choose DC-RADIUS.

7. Creating a security policy

Go to Policy & Objects > IPv4 Policy. Create a WiFi-to-Internet policy. Use WiFi group as the Source.

8. Results

Connect to the WiFi network, authenticate, and browse the Internet. Try this with a user that belongs to the WiFiAccess Windows AD Group.

Go to Monitor > Firewall User Monitor. You can see the User Name, User Group and verify that WSSO authentication Method was used.

WiFi with WSSO using Windows NPS and Attributes

This is an example of wireless single sign-on (WSSO) with a FortiGate. The WiFi users are students at a school. They belong to a Windows Active Directory (AD) group called WiFiAccess. The Network Policy Server (NPS) or RADIUS server performs user authentication and passes the WiFi group attribute to the FortiGate so that the appropriate security policy is applied.

There is an alternative way to setup WiFi with WSSO. To learn more about it, see WiFi with WSSO using Windows NPS and FortiGate Groups

1. Registering the FortiGate as a RADIUS client on NPS

From the NPS, right click on RADIUS Clients, and create an entry for the FortiGate. Enter the FortiGate’s IP address. Enter the Shared secret (password).

2. Creating a Connection Request Policy

Right click Connection Request Policies under Policies and select New. Leave default values for Overview and Settings tab. Under Conditions tab, enter Client IPv4 Address as the FortiGate’s IP address.

3. Creating a Network Policy

Right click Network Policies under Policies and selectNew to create a new policy. Leave default values in Overview tab. In Conditions tab, click on Add, select Windows Group, then select Add. Finally Add Groups, then enter WiFiAccess, and select OK.

In Constraints tab, under Authentication Methods, click Add, then select Microsoft: Protected EAP (PEAP) then OK. Next select Microsoft Encrypted Authentication version 2 (MS-CHAP-v2), and finally select User can change password after it has expired and select OK.

In Settings tab, go to RADIUS Attributes > Vendor Specific, then click Add, select Custom under Vendor and Vendor Specific under Attributes select Add. On Attribute Information window, click Add, type 12356 next to Enter Vendor Code, next select Yes. It conforms. Click on Configure Attribute and a new window pops up, on Vendor-assigned attribute number enter 1, on Attribute format select String, and in Attribute value enter WiFi and select OK.

4. Configuring FortiGate to use the RADIUS server

On the FortiGate, go to User & Device > RADIUS Servers. Select Create New DC-RADIUS. Enter the Domain Controller IP address and the Server Secret that you entered on NPS. Optionally, you can click Test Connectivity. Enter a RADIUS user’s ID and password. The result should be “Successful”.

5. Configuring a user group on the FortiGate

Go to User & Device > User Groups. Create a group that matches the WiFi RADIUS attribute. Do not add any members or remote servers.

6. Creating an SSID with RADIUS authentication

Go to WiFi & Switch Controller > SSID. Create an SSID and set up DHCP for clients.

Set WPA2-Enterprise with RADIUS Server authentication, and choose DC-RADIUS.

7. Creating a security policy

Go to Policy & Objects > IPv4 Policy. Create a WiFi-to-Internet policy. Use WiFi group as the Source.

8. Results

Connect to the WiFi network, authenticate, and browse the Internet. Try this with a user that belongs to the WiFiAccess Windows AD Group.

Go to Monitor > Firewall User Monitor. You can see the User Name, User Group and verify that WSSO authentication Method was used.