FortiGate - Passpoint Configuration

Configure Passpoint (Hotspot 2.0) on Fortinet FortiGate and FortiAP access points to enable automatic WiFi authentication through IronWifi's cloud RADIUS service. This eliminates manual network selection and provides WPA2/WPA3-Enterprise security across your wireless infrastructure.

Supported Platforms

FortiGate - Integrated wireless controller
FortiAP - Managed access points
FortiWLC - Standalone wireless controller

Prerequisites

In FortiGate:

FortiGate with FortiOS 6.4 or later
FortiAP with firmware supporting Hotspot 2.0
Valid FortiCare license for wireless features

In IronWifi Console (complete these first):

Log in to IronWifi Management Console
Navigate to Networks > select your network
Enable Passpoint
Note the following:
- RADIUS Server IPs
- RADIUS Secret
- NAI Realm
- Roaming Consortium OIs

FortiGate Configuration

GUI Configuration

Step 1: Configure RADIUS Server

Log in to FortiGate GUI
Go to User & Authentication > RADIUS Servers
Click Create New
Configure:
- Name: IronWifi
- Primary Server IP/Name: IronWifi RADIUS IP
- Primary Server Secret: Your RADIUS secret
- Authentication Port: 1812
- Accounting Port: 1813
Click OK

Step 2: Create User Group

Go to User & Authentication > User Groups
Click Create New
Configure:
- Name: Passpoint-Users
- Type: Firewall
- Remote Groups: Add IronWifi RADIUS server
Click OK

Step 3: Configure Hotspot 2.0 Profile

Go to WiFi & Switch Controller > Hotspot 2.0
Click Create New under HS2.0 Profiles
Configure:

General:

Name: IronWifi-Passpoint
Internet: Enable
Hotspot 2.0: Enable

Venue Information:

Venue Group: Business
Venue Type: Unspecified

Network Authentication Type:

Type: Acceptance of terms and conditions (or as needed)

Step 4: Configure Domain Name

In HS2.0 profile, find Domain Name
Add: ironwifi.net

Step 5: Configure Roaming Consortium

Go to Hotspot 2.0 > HS2.0 Roaming Consortium
Click Create New
Add:
- Name: OpenRoaming-Settled
- OI: 5A03BA0000
Repeat for:
- Name: OpenRoaming-Free
- OI: 004096
Associate with HS2.0 profile

Step 6: Configure NAI Realm

Go to Hotspot 2.0 > HS2.0 NAI Realm
Click Create New
Configure:
- Name: IronWifi-Realm
- NAI: ironwifi.com
- Encoding: UTF-8
- EAP Method: EAP-TTLS
- Auth: Credentials
- Inner EAP: PAP
Associate with HS2.0 profile

Step 7: Create SSID

Go to WiFi & Switch Controller > SSIDs
Click Create New
Configure:

Interface:

Name: Passpoint
Type: WiFi SSID

WiFi Settings:

SSID: Passpoint
Security Mode: WPA2-Enterprise
Authentication: RADIUS Server (IronWifi)

Hotspot 2.0:

Hotspot 2.0: Enable
HS2.0 Profile: IronWifi-Passpoint

Click OK

Step 8: Apply to FortiAP

Go to WiFi & Switch Controller > Managed FortiAPs
Select target APs
Assign SSID profile
Apply configuration

CLI Configuration

# RADIUS Server
config user radius
    edit "IronWifi"
        set server "1.2.3.4"
        set secret your-secret
        set auth-type auto
    next
end

# User Group
config user group
    edit "Passpoint-Users"
        set member "IronWifi"
    next
end

# Hotspot 2.0 Roaming Consortium
config wireless-controller hotspot20 hs-profile
    edit "IronWifi-Passpoint"
        set internet enable
        set venue-group business
        set venue-type unspecified
        set domain-name "ironwifi.net"
    next
end

# NAI Realm
config wireless-controller hotspot20 nai-realm
    edit "IronWifi-Realm"
        set realm "ironwifi.com"
        set encoding utf8
        config eap-method
            edit 1
                set method eap-ttls
                set auth credentials
            next
        end
    next
end

# Roaming Consortium
config wireless-controller hotspot20 roaming-consortium
    edit "OpenRoaming-Settled"
        set oi "5A03BA0000"
    next
    edit "OpenRoaming-Free"
        set oi "004096"
    next
end

# SSID with Hotspot 2.0
config wireless-controller vap
    edit "Passpoint"
        set ssid "Passpoint"
        set security wpa2-only-enterprise
        set auth usergroup
        set usergroup "Passpoint-Users"
        set radius-server "IronWifi"
        set hotspot20-profile "IronWifi-Passpoint"
    next
end

# Apply to FortiAP Profile
config wireless-controller wtp-profile
    edit "FAP-Profile"
        config radio-1
            set vaps "Passpoint"
        end
    next
end

Advanced Configuration

3GPP Cellular Information

For carrier integration:

config wireless-controller hotspot20 hs-profile
    edit "IronWifi-Passpoint"
        config 3gpp-plmn
            edit 1
                set mcc "310"
                set mnc "410"
            next
        end
    next
end

WAN Metrics

Configure link metrics:

config wireless-controller hotspot20 hs-profile
    edit "IronWifi-Passpoint"
        set wan-metrics-link-status up
        set wan-metrics-symmetric-link enable
        set wan-metrics-downlink-speed 100000
        set wan-metrics-uplink-speed 50000
    next
end

Connection Capability

Define allowed protocols:

config wireless-controller hotspot20 hs-profile
    edit "IronWifi-Passpoint"
        config conn-cap
            edit 1
                set protocol tcp
                set port 80
                set status open
            next
            edit 2
                set protocol tcp
                set port 443
                set status open
            next
        end
    next
end

Operator Icons

Add operator branding:

config wireless-controller hotspot20 icon
    edit "IronWifi-Icon"
        set lang "eng"
        set width 64
        set height 64
        set type png
        set file "icon.png"
    next
end

Firewall Policy

Create policy for Passpoint users:

config firewall policy
    edit 0
        set name "Passpoint-Internet"
        set srcintf "Passpoint"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
        set groups "Passpoint-Users"
    next
end

Troubleshooting

Network Not Discovered

Verify Hotspot 2.0 Status

diagnose wireless-controller wlac -c vap

Check HS2.0 Profile

diagnose wireless-controller wlac -c hs20

Verify FortiAP Configuration

diagnose wireless-controller wlac -c wtp

Authentication Failures

Test RADIUS Connectivity

diagnose test authserver radius IronWifi mschap2 username password

Check RADIUS Debug

diagnose debug application radiusd -1
diagnose debug enable

Review Logs

execute log filter device disk
execute log filter category event
execute log display

Debug Commands

# Show Hotspot 2.0 status
diagnose wireless-controller wlac -c hs20-profile

# Show client associations
diagnose wireless-controller wlac -c sta

# Show RADIUS statistics
diagnose wireless-controller wlac -c radius

# Debug wireless
diagnose debug application wpad -1
diagnose debug enable

Best Practices

Firmware: Use FortiOS 7.0+ for best Passpoint support
FortiAP: Ensure APs support Hotspot 2.0 (check datasheet)
Testing: Test with multiple Passpoint clients
Monitoring: Use FortiAnalyzer for detailed logs
Security: Implement proper firewall policies
Redundancy: Configure backup RADIUS servers

Supported Platforms​

Prerequisites​

In FortiGate:​

In IronWifi Console (complete these first):​

FortiGate Configuration​

GUI Configuration​

Step 1: Configure RADIUS Server​

Step 2: Create User Group​

Step 3: Configure Hotspot 2.0 Profile​

Step 4: Configure Domain Name​

Step 5: Configure Roaming Consortium​

Step 6: Configure NAI Realm​

Step 7: Create SSID​

Step 8: Apply to FortiAP​

CLI Configuration​

Advanced Configuration​

3GPP Cellular Information​

WAN Metrics​

Connection Capability​

Operator Icons​

Firewall Policy​

Troubleshooting​

Network Not Discovered​

Authentication Failures​

Debug Commands​

Best Practices​

Related Topics​