FortiGate - RadSec Configuration
Configure RadSec (RADIUS over TLS) on FortiGate wireless controllers and FortiAP access points for secure OpenRoaming authentication with IronWifi. This guide covers certificate installation via GUI, CLI-based RadSec configuration, and Hotspot 2.0 profile creation for FortiOS 7.x deployments.
Quick Start
- Enable RadSec and OpenRoaming in IronWifi Console
- Download certificate bundle
- Import certificates via FortiGate GUI (System > Certificates)
- Configure RADIUS server with RadSec via CLI
- Create Hotspot 2.0 profile with OpenRoaming OIs
- Apply to wireless VAP
Prerequisites
In FortiGate:
- FortiGate with FortiOS 7.0 or later
- FortiAP access points
- CLI access (required for RadSec configuration)
In IronWifi Console (complete these first):
- Create or select a Network in the IronWifi Console
- Enable OpenRoaming from the dropdown menu
- Enable RadSec from the dropdown menu
- Download the certificate bundle (ZIP file containing Root CA, Intermediate CA, client certificate, and private key)
Important Note
FortiGate RadSec configuration requires CLI access. The GUI does not support all RadSec settings.
Certificate Installation
Upload Certificates via GUI
-
Log in to FortiGate web interface
-
Go to System > Certificates
-
Import CA certificates:
- Click Import > CA Certificate
- Upload
iw-rsa-root-ca.cert.pem - Name:
IronWifi-Root-CA - Upload
iw-rsa-radsec-signing-ca.cert.pem - Name:
IronWifi-RadSec-CA
-
Import client certificate:
- Click Import > Local Certificate
- Upload
client.cert.pemandclient.key.pem - Name:
IronWifi-RadSec-Client
Verify Certificates
After import, certificates should appear in:
- Remote CA Certificates: IronWifi-Root-CA, IronWifi-RadSec-CA
- Local Certificates: IronWifi-RadSec-Client
CLI Configuration
Configure RADIUS Server with RadSec
Connect to FortiGate CLI and configure:
config user radius
edit "IronWifi-RadSec"
set server "radsec.ironwifi.com"
set secret ""
set radius-port 2083
set transport-protocol tls
set ca-cert "IronWifi-Root-CA"
set client-cert "IronWifi-RadSec-Client"
set server-identity-check enable
set interface-select-method auto
next
end
Key Parameters Explained
| Parameter | Value | Description |
|---|---|---|
server | radsec.ironwifi.com | RadSec server address |
secret | "" | Empty for RadSec (uses certs) |
radius-port | 2083 | Standard RadSec port |
transport-protocol | tls | Enable RadSec |
ca-cert | IronWifi-Root-CA | CA for server verification |
client-cert | IronWifi-RadSec-Client | Client certificate |
Configure User Group
config user group
edit "RadSec-Users"
set member "IronWifi-RadSec"
next
end
Wireless Configuration
Create SSID with Passpoint
config wireless-controller vap
edit "OpenRoaming"
set ssid "OpenRoaming"
set security wpa2-only-enterprise
set auth usergroup
set usergroup "RadSec-Users"
set radius-server "IronWifi-RadSec"
set local-bridging enable
set local-lan enable
set hotspot20-profile "IronWifi-Passpoint"
next
end
Configure Hotspot 2.0 Profile
config wireless-controller hotspot20 hs-profile
edit "IronWifi-Passpoint"
set internet enable
set venue-group business
set venue-type unspecified
set domain-name "ironwifi.net"
set wan-metrics-link-status up
set wan-metrics-symmetric-link enable
config roaming-consortium
edit 1
set oi "5A03BA0000"
next
edit 2
set oi "5A03BA0200"
next
edit 3
set oi "004096"
next
end
next
end
Configure NAI Realm
config wireless-controller hotspot20 anqp-nai-realm
edit "IronWifi-Realm"
set nai-realm "ironwifi.com"
config eap-method
edit 1
set method eap-ttls
config auth-param
edit 1
set id non-eap-inner-auth
set val pap
next
end
next
end
next
end
Link NAI Realm to Profile
config wireless-controller hotspot20 hs-profile
edit "IronWifi-Passpoint"
set nai-realm "IronWifi-Realm"
next
end
Complete Configuration Script
Copy and paste this complete configuration:
# Certificates (import via GUI first, then reference here)
# RADIUS with RadSec
config user radius
edit "IronWifi-RadSec"
set server "radsec.ironwifi.com"
set secret ""
set radius-port 2083
set transport-protocol tls
set ca-cert "IronWifi-Root-CA"
set client-cert "IronWifi-RadSec-Client"
set server-identity-check enable
next
end
# User Group
config user group
edit "RadSec-Users"
set member "IronWifi-RadSec"
next
end
# NAI Realm
config wireless-controller hotspot20 anqp-nai-realm
edit "IronWifi-Realm"
set nai-realm "ironwifi.com"
config eap-method
edit 1
set method eap-ttls
next
end
next
end
# Roaming Consortium
config wireless-controller hotspot20 anqp-roaming-consortium
edit "OpenRoaming-OIs"
config oi-list
edit 1
set oi "5A03BA0000"
next
edit 2
set oi "5A03BA0200"
next
edit 3
set oi "004096"
next
end
next
end
# Hotspot 2.0 Profile
config wireless-controller hotspot20 hs-profile
edit "IronWifi-Passpoint"
set internet enable
set venue-group business
set venue-type unspecified
set domain-name "ironwifi.net"
set nai-realm "IronWifi-Realm"
set roaming-consortium "OpenRoaming-OIs"
set wan-metrics-link-status up
next
end
# SSID
config wireless-controller vap
edit "OpenRoaming"
set ssid "OpenRoaming"
set security wpa2-only-enterprise
set auth usergroup
set usergroup "RadSec-Users"
set radius-server "IronWifi-RadSec"
set hotspot20-profile "IronWifi-Passpoint"
next
end
Firewall Policy
Create firewall policy for RadSec users:
config firewall policy
edit 0
set name "RadSec-Internet"
set srcintf "OpenRoaming"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
set groups "RadSec-Users"
next
end
Verification
Check RADIUS Configuration
diagnose test authserver radius IronWifi-RadSec
Check RadSec Connection
diagnose debug application radiusd -1
diagnose debug enable
Check Certificate Status
get system certificate local
get system certificate ca
Monitor Authentication
diagnose wireless-controller wlac -c sta
Troubleshooting
RadSec Connection Failures
-
Certificate Issues
diagnose vpn ssl debug-filter src-addr4 radsec.ironwifi.com
diagnose debug application sslvpn -1
diagnose debug enable -
Verify Certificates
- Check certificate validity
- Ensure CA chain is complete
- Verify client cert matches key
-
Network Issues
- Verify port 2083 open outbound
- Check DNS resolution
- Test connectivity to RadSec server
Authentication Problems
-
Check RADIUS Events
diagnose debug application radiusd -1
diagnose debug enable -
Review FortiAnalyzer (if available)
- Check RADIUS authentication logs
- Look for rejection reasons
Common Errors
| Error | Cause | Solution |
|---|---|---|
| "TLS handshake failed" | Cert issue | Re-import certificates |
| "Connection timeout" | Port blocked | Check firewall rules |
| "Certificate verify failed" | CA not trusted | Import complete CA chain |
| "No matching realm" | NAI config | Verify realm configuration |
Best Practices
- Use FortiOS 7.x: Better RadSec support
- CLI Configuration: Required for full RadSec setup
- Monitor Certificates: Track expiration dates
- Test Connectivity: Verify RadSec before production
- Backup Configuration: Save working config
- Use FortiAnalyzer: For detailed logging
Related Topics
- OpenRoaming Overview - Main OpenRoaming configuration guide
- RadSec Overview - Understanding RadSec technology
- FortiGate Passpoint - Passpoint configuration details
- Passpoint Overview - Understanding Passpoint technology