FortiWLC – RADIUS Authentication

RADIUS Authentication

Conceptual 802.1X Model for RADIUS Authentication

The conceptual model for 802.1X authentication looks like this:

Figure 53: Conceptual Model for 802.1X RADIUS Server Authentication

802.1X RADIUS authentication works like this:

  1. Depending on the EAP type, you may first need to obtain a digital certificate from the Certificate Server.
  2. Using EAP as end user, contact the AP in order to be authenticated.
  3. The AP forwards the request to the controller.
  4. The controller acts as a RADIUS client and sends the request to the RADIUS server.
  5. Depending on the EAP type, the RADIUS server may challenge the end user for a password, or the user may present a digital certificate that they have previously obtained from a Certificate Server.
  6. The RADIUS server authenticates the end user and the access point, and opens a port to accept the data from the end user.
Configure RADIUS Authentication for Users With the Web UI

To use RADIUS authentication for guests and employees on the network,

  1. Add the controller IP address and shared secret in the RADIUS server.
  2. Create a RADIUS Profile (use the same shared secret as in step 1).
  3. Include that RADIUS Profile in a Security Profile.
  4. Include the Security Profile in an ESS Profile.

Configuring RADIUS authentication for administrators is a different, simpler process. Follow these steps to add a RADIUS profile:

  1. Click Configuration > Security > RADIUS.
  2. Provide a name, description, IP address, secret key, and port number (1812 is default).
  3. Select a MAC address delimiter (Hyphen, Single Hyphen or Colon) from the list.
  4. Select a password type (Shared Key or MAC Address) from the list.
  5. Select a called station ID type (Default, MacAddress, or MacAddress:SSID) from the list.
  6. Select CoA Status. To process, CoA requests from this RADIUS server, set this to ON.
  7. Click OK.

Indicate when the RADIUS server should be used. There are two ways to do this. One way is a two-step process that creates a Security Profile to call the RADIUS Profile, and then creates an ESS Profile to call the Security Profile. This process is described in steps 6 and 7.

  1. Click Configuration > Security > Profile. Here you see all security profiles that have been created on this controller. You can either modify an existing security profile to use the RADIUS server or you can add a new security profile. Either way, the security profile includes a drop-down list for Primary RADIUS Profile Name and Secondary RADIUS Profile Name; all configured RADIUS servers are listed and you can select one from the list.

Indicate which ESS Profile should use the Security Profile.

  1. Click Configuration > Wireless > ESS. Here you see all ESS profiles that have been created on this controller. You can either modify an existing ESS profile to use the Security Profile or you can add a new ESS Profile. Either way, there is a drop-down list for Security Profile Name; all configured Security Profiles are listed and you can select one from the list.

You can also skip step 6 above and select the Primary RADIUS Profile Name and Secondary RADIUS Profile Name directly from the ESS as part of step 7. In addition, you can configure server timeout and retries:

  • RADIUS Server Timeout: This is the time interval (in seconds) between which the RADIUS authentication with primary RADIUS server is retried.
  • RADIUS Server Retries: This is the number of attempts to reach the primary RADIUS server. After the retries limit is reached, the authentication workflow is sent to the secondary server. All new clients will be authenticated via the secondary RADIUS server.
COA Support

FortiWLC (SD) provides the following support for change of authorization messages:

  • Only 1x and Captive Portal user sessions supported.
  • Both Primary/Secondary RADIUS Profiles supported.
  • Controller listens to COA messages on UDP port 3799
  • User sessions in a COA messages can be identified using MAC-address and/or username.
  • Disconnect or CoA requests can be sent from any configured RADIUS server in the controller.
  • CoA requests on UDP 1700, to enable Cisco ISE Interoperability.
  • For Disconnect Message, only station mac-address is required. When disconnected, the client is completely disconnected from the network and its session data, 1x, PMK Cache is also cleared. In case of captive portal session, session aging timer is also cleared. After a disconnect, the client must be go through complete authentication sequence to reconnect.
  • While sending a CoA message, only the change of Filter-ID is supported.
  • RADIUS based filter-ID and CoA for filter-ID change for MAC authenticated (RADIUS) clients is supported.
  • CoA disconnection requests are honoured when a user maps a security profile which is configured for WPA-PSK with MAC filtering enabled, to an ESS profile is implemented. CoA disconnect requests for Captive Portal Bypass and MAC filtering enabled stations have the stations go through the complete MAC and CP authentication while re-connecting. If you create more than one RADIUS profile using the same server IP address, ensure that the shared secret is the same across profiles.
RADIUS Disconnect Message and Filter-ID Support

802.1x                MAC Auth            Captive Portal

Y                            Y                              Y

RADIUS Disconnect

Y    x              Y CoA (Filter-ID)

Configure RADIUS Authentication for Administrators With the Web UI

Configure RADIUS authentication for all administrators by following these steps:

  1. Click Configuration > User Management.
  2. Select RADIUS for Authentication Type at the top of the screen. See Figure 55.
  3. There are three tabs for admin authentication (see m), RADIUS, Tacacs+ and Local Admins. The RADIUS tab is the default.

Figure 54: Configure a User for RADIUS Authentication

  1. Provide the IP address of the primary RADIUS server.
  2. Provide a primary RADIUS port number; the default is 1812.
  3. Provide the secret key for RADIUS server access.
  4. Optionally repeat steps 4, 5 and 6 for a secondary RADIUS server.
  5. Click OK.
  6. Add administrators on the RADIUS server using these three levels.
1 Operator is the lowest authentication level and also the default. Operators can see statistics and results but cannot make any configuration changes.
10 Administrators can also do general configuration changes, but cannot upgrade APs or controllers, nor can they upgrade FortiWLC (SD) versions using Telnet. The cannot configure an NMS server, NTP server, change the system password, date or time (all CLI). They cannot create admins nor can they set the authentication mode for a controller (GUI and CLI). Administrators cannot add or remove licensing.
15 SuperUser administrators can perform all configurations on the controller. They are the only ones who can upgrade APs or controllers and they can upgrade FortiWLC (SD) versions using Telnet. The can configure an NMS server, NTP server, system password, date and time (all CLI). They can also create admins and set the authentication mode for a controller (GUI and CLI). Superusers can add and remove licensing.
Configure RADIUS Authentication for Administrators With the CLI

Commands to configure all controller administrators for RADIUS authentication mode:

  • authentication mode global
  • primary-radius-ip
  • primary-radius-port
  • primary-radius-secret
  • authentication type radius
  • secondary-radius-ip
  • secondary-radius-port
  • secondary-radius-secret

For command details, see the FortiWLC (SD) Command Reference.

CLI Example for Setting Authentication Mode to RADIUS

ramcntrl(0)# configure terminal ramcntrl(0)(config)# authentication‐mode global ramcntrl(0)(config‐auth‐mode)# authentication‐type radius ramcntrl(0)(config‐auth‐mode)# primary‐radius‐

primary‐radius‐ip      primary‐radius‐port    primary‐radius‐secret  ramcntrl(0)(config‐auth‐mode)# primary‐radius‐ip 172.18.1.3 ramcntrl(0)(config‐auth‐mode)# primary‐radius‐secret RadiusP ramcntrl(0)(config‐auth‐mode)# secondary‐radius‐

secondary‐radius‐ip      secondary‐radius‐port    secondary‐radius‐secret  ramcntrl(0)(config‐auth‐mode)# secondary‐radius‐ip 172.18.1.7 ramcntrl(0)(config‐auth‐mode)# secondary‐radius‐secret RadiusS ramcntrl(0)(config‐auth‐mode)# exit ramcntrl(0)(config)# exit

ramcntrl(0)# sh authentication‐mode Administrative User Management

AuthenticationType           : radius

Primary RADIUS IP Address    : 172.18.1.3

Primary RADIUS Port          : 1812

Primary RADIUS Secret Key    : *****

Secondary RADIUS IP Address  : 172.18.1.7

Secondary RADIUS Port        : 1812

Secondary RADIUS Secret Key  : *****

Primary TACACS+ IP Address   : 0.0.0.0

Primary TACACS+ Port         : 49

Primary TACACS+ Secret Key   : *****

Secondary TACACS+ IP Address : 0.0.0.0

Secondary TACACS+ Port       : 49

Secondary TACACS+ Secret Key : ***** ramcntrl(0)#

This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.