Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Configuring user authentication<br />
Configuring a WiFi LAN<br />
WPA2 Enterprise authentication<br />
Enterprise authentication can be based on the local FortiGate user database or on a remote RADIUS server.<br />
Local authentication is essentially the same for WiFi users as it is for wired users, except that authentication for<br />
WiFi users occurs when they associate their device with the AP. Therefore, enterprise authentication must be<br />
configured in the SSID. WiFi users can belong to user groups just the same as wired users and security policies<br />
will determine which network services they can access.<br />
If your WiFi network uses WPA2 Enterprise authentication verified by a RADIUS server, you need to configure the<br />
FortiGate unit to connect to that RADIUS server.<br />
Configuring connection to a RADIUS server - web-based manager<br />
1. Go to User & Device > RADIUS Servers and select Create New.<br />
2. Enter a Name for the server.<br />
This name is used in FortiGate configurations. It is not the actual name of the server.<br />
3. In Primary Server Name/IP, enter the network name or IP address for the server.<br />
4. In Primary Server Secret, enter the shared secret used to access the server.<br />
5. Optionally, enter the information for a secondary or backup RADIUS server.<br />
6. Select OK.<br />
To configure the FortiGate unit to access the RADIUS server - CLI<br />
config user radius<br />
edit exampleRADIUS<br />
set auth-type auto<br />
set server 10.11.102.100<br />
set secret aoewmntiasf<br />
end<br />
To implement WPA2 Enterprise security, you select this server in the SSID security settings. See Configuring user<br />
authentication on page 45.<br />
To use the RADIUS server for authentication, you can create individual FortiGate user accounts that specify the<br />
authentication server instead of a password, and you then add those accounts to a user group. Or, you can add<br />
the authentication server to a FortiGate user group, making all accounts on that server members of the user<br />
group.<br />
Creating a wireless user group<br />
Most wireless networks require authenticated access. To enable creation of firewall policies specific to WiFi<br />
users, you should create at least one WiFi user group. You can add or remove users later. There are two types of<br />
user group to consider:<br />
• A Firewall user group can contain user accounts stored on the FortiGate unit or external authentication servers such<br />
as RADIUS that contain and verify user credentials.<br />
• A Fortinet Single Sign-On (FSSO) user group is used for integration with Windows Active Directory or Novell<br />
eDirectory. The group can contain Windows or Novell user groups who will be permitted access to the wireless LAN.<br />
46 <strong>Deploying</strong> <strong>Wireless</strong> <strong>Networks</strong> for <strong>FortiOS</strong> 5.4<br />
Fortinet Technologies Inc.