Skip to main content

FortiGate

Integrate Fortinet FortiGate wireless controllers with IronWifi's RADIUS authentication and external captive portal. This guide covers RADIUS server configuration, user group creation, external captive portal setup, firewall policy configuration, exempt list (walled garden) setup, WPA-Enterprise deployment, and optional RadSec for encrypted RADIUS communications.

Prerequisites

In FortiGate:

  • FortiGate device with wireless capability
  • Admin access to FortiGate web interface or CLI
  • Network configured for guest WiFi

In IronWifi Console (complete these first):

  1. Create a Network in IronWifi Console
  2. Create a Captive Portal with vendor Fortinet
  3. Note your RADIUS settings (Primary IP, Backup IP, Secret) and Splash Page URL

FortiGate Configuration

Step 1: Configure RADIUS Server

  1. Navigate to User & AuthenticationRADIUS Servers
  2. Click Create New
  3. Configure:
    • Name: IronWifi
    • Primary Server IP: {Primary IP}
    • Primary Server Secret: {Secret}
    • Secondary Server IP: {Backup IP}
    • Authentication Scheme: Use default

Step 2: Test RADIUS Connection

  1. Click Test Connectivity
  2. Enter test user credentials
  3. Verify "Access-Accept" response

Step 3: Create User Group

  1. Navigate to User & AuthenticationUser Groups
  2. Click Create New
  3. Configure:
    • Name: IronWifi-Users
    • Type: Firewall
    • Remote Groups: Add IronWifi RADIUS

Step 4: Configure Captive Portal

  1. Navigate to WiFi & Switch ControllerWiFi
  2. Select your SSID
  3. Configure Security:
    • Security Mode: Captive Portal
    • Portal Type: External
    • External Captive Portal URL: {Splash Page URL}

Step 5: Configure Firewall Policy

Create policy for guest network:

  1. Navigate to Policy & ObjectsFirewall Policy
  2. Create new policy:
    • Incoming Interface: WiFi interface
    • Outgoing Interface: WAN
    • Source: Guest network
    • Destination: All
    • Service: ALL
    • Action: Accept
    • Security Profiles: As needed

Step 6: Exempt List (Walled Garden)

Configure addresses that guests can access before authentication:

  1. Navigate to Policy & ObjectsAddresses

  2. Create address for IronWifi:

    • Name: IronWifi-Splash
    • IP/Netmask: 107.178.250.42/32

  3. Create exemption policy allowing pre-auth access

If you're using social login or payment providers, add these domains to your walled garden:

ProviderRequired Entries
Google*.google.com, *.googleapis.com, *.gstatic.com, accounts.google.com
Facebook*.facebook.com, *.fbcdn.net, connect.facebook.net, facebook.com
LinkedIn*.linkedin.com, *.licdn.com, linkedin.com
Twitter/X*.twitter.com, *.twimg.com, twitter.com, *.x.com, x.com
Apple*.apple.com, *.icloud.com, appleid.apple.com
Microsoft/Azure AD*.microsoft.com, *.microsoftonline.com, *.msftauth.net, login.microsoftonline.com
Stripe*.stripe.com, js.stripe.com
PayPal*.paypal.com, *.paypalobjects.com
Twilio (SMS)*.twilio.com

CLI Configuration

config user radius
  edit "IronWifi"
    set server "{PRIMARY_IP}"
    set secret {SECRET}
    set secondary-server "{BACKUP_IP}"
    set secondary-secret {SECRET}
    set acct-interim-interval 600
  next
end

config user group
  edit "IronWifi-Users"
    set member "IronWifi"
  next
end

config wireless-controller vap
  edit "Guest-WiFi"
    set ssid "Guest-WiFi"
    set security captive-portal
    set portal-type external
    set external-url "{SPLASH_URL}"
    set user-group "IronWifi-Users"
  next
end

RadSec Configuration

For RADIUS over TLS:

  1. Enable RadSec in IronWifi
  2. Download certificates
  3. In FortiGate:
config user radius
  edit "IronWifi-RadSec"
    set server "{RADSEC_SERVER}"
    set secret {SECRET}
    set transport-protocol tls
  next
end

WPA-Enterprise

For 802.1X:

config wireless-controller vap
  edit "Secure-WiFi"
    set ssid "Secure-WiFi"
    set security wpa2-only-enterprise
    set auth "IronWifi"
    set radius-server "IronWifi"
  next
end

Troubleshooting

If you encounter issues after configuration, use this table to diagnose and resolve common problems:

SymptomCauseSolution
RADIUS connection failedIncorrect server settings or firewall blockingVerify server IP and port, check shared secret, test firewall rules, use diagnose test authserver radius command
Captive portal not showingIncorrect portal configurationVerify portal type is external, check external URL is correct, confirm exempt list allows splash page access
Authentication issuesUser group or RADIUS misconfigurationCheck user group configuration, verify RADIUS server association, review authentication logs with diagnose debug application radius -1