First and foremost, a special shout out to a friend that helped with this config. Juan Perez, thank you brother.
Use Case: Customer wants a single SSID in his environment. He wants
Teachers on a VLAN once they connect on a managed workstation (AD Member),
Students on a different VLAN when THEY connect on managed workstation, Computers to authenticate and kept in a Computer VLAN until the user logs in, and a BYOD VLAN for the users connecting with personal devices. These use cases can be delivered via an 802.1x PEAP configuration on FortiAuthenticator
Setting up AD Groups
First lets create two groups and two test users.
Here we create two AD groups;
I then created a user and added him to the
Likewise, I created a user and added HIM to the
Now we are going to configure the pieces we are going to need
Creating the VLAN Interface
Here we have the SSID at the top where all devices will connect to. We are create VLAN below this SSID interface. Each VLAN corresponds to the different types of connection we want to handle.
Here is an example of what an interface looks like. We can see it is a
VLAN and it is attached to the
ISOLATED interface. Assign an IP address and mask, enabled DHCP and save. Repeat for the other interfaces.
Creating RADIUS Server
User & Device (6.2.2 and below)
RADIUS Server, then
Create New. Enter the IP address of the FAC server and the
On the SSID configured on the Fortigate, you will need to modify the config
Here we can see that we are choosing
WPA2 Enterprise as the
Security Mode, Choose the
RADIUS Server as the
Authentication and from the drop-down, choose your RADIUS server you recently set up. You also want to enable the
Dynamic VLAN assignment.
We are going to need policies for these devices to browse the Internet and specifically for the
Student networks, you will need to define access to the internal resources as needed.
In this example, I have only created the
Outbound policies to permit Internet. But more will be needed.
Also remember to add either a
Central NAT policy or configure the
Policy NAT inside each policy.
FortiAuthenticator (FAC) Configuration
Now we will configure the FAC.
Creating FAC Groups
We need to create
4 groups representing the
4 types of users (Teachers, Students, Computers and BYOD). As you can see, these groups are either
Each group is going to require some modifications
We are going to choose
Default under the
Vendor section. Then choose
Tunnel-Private-Group-ID, then under the
Value section you will need to enter the VLAN ID for this group.
Next, you need to add
Tunnel-Type and choose
VLAN from the drop down list.
Next we are going to configure
Tunnel-Medium-Type and choose
IEEE-802 from the drop down.
You will need to do the same to each group. Make sure you change the VLAN ID for each group.
Teacher AD Group, you will need to create a filter so that it pulls the users from the respective AD groups.
Here is the filter for the
Student AD group. The filter is as follows:
Here is the filter for the
Creating RADIUS Client
Now we are going to configure the RADIUS Client
I want to make a point here. I have configured a RADIUS client previously for VPNs in a previous post. Within the same RADIUS client configuration, you can create multiple
profiles that represent different options. So the same RADIUS client configuration will handle the remote access VPN as well as the WiFi configuration we are doing here.
You can see the
Profiles in the screenshot above.
Let's get started with the
We will need to enable
Apply this profile based on RADIUS attributes. Here we are defining the SSID name being sent to the RADIUS server. The
Default and the
Attribute ID is available from the drop down and is
Called-Station-id and the
Value is the SSID exactly as it is configured on the FortiGate.
Now we need to configure the
Device Authentication portion. We are going to configure the
Only machine-authentication to the group we created earlier named
Computer. Then configure
Only user-authenticated to
BYODwhich we created earlier.
Now we see the final section of the RADIUS client configuration;
User Authentication. Choose the
Realm and enable the
User Windows AD Domain authentication and save.
Setting up the WiFi GPO
Here is the configuration