MAC-based authentication
Wireless clients can also be supplementally authenticated by MAC address. A RADIUS server stores the allowed MAC address for each client and the wireless controller checks the MAC address independently of other authentication methods.
MAC-based authentication must be configured in the CLI. In the following example, MAC-based authentication is added to an existing access point “vap1” to use RADIUS server hq_radius (configured on the FortiGate):
config wireless-controller vap edit vap1 set radius-mac-auth enable set radius-mac-auth-server hq_radius
end
Authenticating guest WiFi users
The FortiOS Guest Management feature enables you to easily add guest accounts to your FortiGate unit. These accounts are authenticate guest WiFi users for temporary access to a WiFi network managed by a FortiGate unit. To implement guest access, you need to
- Go to User & Device > User Groups and create one or more guest user groups.
- Go to User & Device > Guest Management to create guest accounts. You can print the guest account credentials or send them to the user as an email or SMS message.
firewall policies for the SSID
- Go to WiFi & Switch Controller > SSID and configure your WiFi SSID to use captive portal authentication. Select the guest user group(s) that you created.
Guest users can log into the WiFi captive portal with their guest account credentials until the account expires. For more detailed information about creating guest accounts, see “Managing Guest Access” in the Authentication chapter of the FortiOS Handbook.
Configuring firewall policies for the SSID
For users on the WiFi LAN to communicate with other networks, firewall policies are required. This section describes creating a WiFi network to Internet policy.
Before you create firewall policies, you need to define any firewall addresses you will need.
To create a firewall address for WiFi users – web-based manager
- Go to Policy & Objects > Addresses.
- Select Create New, enter the following information and select OK.
| Name | Enter a name for the address, wifi_net for example. |
| Type | Select Subnet. |
| Subnet / IP Range | Enter the subnet address, 10.10.110.0/24 for example. |
| Interface | Select the interface where this address is used, e.g., example_wifi |
To create a firewall address for WiFi users – CLI
config firewall address edit “wifi_net” set associated-interface “example_wifi” set subnet 10.10.110.0 255.255.255.0
end
To create a firewall policy – web-based manager
- Go to Policy & Objects > IPv4 Policy and select Create New.
- In Incoming Interface, select the wireless interface.
- In Source Address, select the address of your WiFi network, wifi_net for example.
- In Outgoing Interface, select the Internet interface, for example, port1.
- In Destination Address, select All.
- In Service, select ALL, or select the particular services that you want to allow, and then select the right arrow button to move the service to the Selected Services
- In Schedule, select always, unless you want to define a schedule for limited hours.
- In Action, select ACCEPT.
- Select Enable NAT.
- Optionally, set up UTM features for wireless users.
- Select OK.
Configuring the built-in access point on a FortiWiFi unit
To create a firewall policy – CLI
config firewall policy edit 0 set srcintf “example_wifi” set dstintf “port1” set srcaddr “wifi_net” set dstaddr “all” set action accept set schedule “always” set service “ANY” set nat enable
end
Hi Mike,
Since I know by following your posts that you are really good the Fortinet in general, please allow me to ask you a question. In a Fortigate, FortiAP and Radius scenario, can I dynamically assign the VLAN to the WIFI users based on their device type? More specifically, I would like to move any iOS/Android to a different VLAN than a normal Windows Client would get. Thanks
You pass it by the 802.1x pass thru of the RADIUS authentication not the device.