Log in to the FortiGate Dashboard
Supply DHCP server information
Describe WiFi settings and add a RADIUS authentication server
Configure a RADIUS accounting server
Configure the Hotspot 2.0 profile
Troubleshoot the configuration
IPv4 Policy for SSID interface
Configure FortiGate wireless LAN controller
This guide describes how to set up and test your environment so you can use it with radsecproxy and Orion Wifi:
To start the configuration process, log in to the FortiGate Dashboard as admin. For existing environments with additional users, log in as a user with administrative privileges.
The FortiGate Dashboard appears. Your access points are displayed in the Security section.
Note: There are a number of options you can set. Only the options that require your input are shown. Default values are used for options that don’t need adjustment.
To configure the wireless LAN, you create a new SSID for Orion Wifi, a RADIUS server, and an IPv4 policy.
When you create an SSID, you’re creating a software interface and allowing traffic on that interface. Before creating the SSID, you define the interface for it.
Enter the IP address and network mask for the SSID interface.
Select HTTPS, HTTP, and RADIUS Accounting. You can select additional options, such as SSH, as appropriate for your network.
Enter DHCP information that’s appropriate for your network.
The RADIUS server information you add here is for the RADIUS authentication server. You’ll add RADIUS accounting server information later when you configure Hotspot 2.0.
Add an IPv4 allow policy on the FortiGate wireless LAN controller to allow traffic from the SSID to reach the Internet.
Hotspot 2.0 allows mobile devices to join a WiFi network automatically, including during roaming, when the devices enter the Hotspot 2.0 area.
You configure Hotspot 2.0 using a command line interface (CLI). Access the CLI by launching a terminal session or selecting > _ CLI Console at the top right of the Dashboard.
Access Network Query Protocol (ANQP) provides a range of information, such as IP address type and availability, and roaming partners accessible through a hotspot.
config wireless-controller hotspot20 anqp-nai-realm
show
edit "Fortinet_NAI_Realm"
config nai-list
edit "Fortinet_NAI_List"
set nai-realm "orionwifi.com"
config eap-method
edit 1
set method eap-tls
config auth-param
edit 1
set id credential
set val cred-certificate
next
end
next
end
next
end
next
end
config wireless-controller hotspot20 anqp-roaming-consortium
show
edit "Fortinet_RCOI"
config oi-list
edit 1
set oi "f4f5e8f5f4"
set comment "Orionwifi"
next
end
next
end
config wireless-controller hotspot20 anqp-venue-name
show
edit "Fortinet_Venue"
config value-list
edit 1
set value “English”
next
end
next
end
config user radius
edit 1
set server <radsecproxy IP address>
set secret radsec
next
end
config user radius
show
config user radius
edit "Radsec"
set server "13.52.128.197"
set secret ENC ZRieGIlI/MpBaOWpgc5TAbRdmok4qXr+pIg0C8iCWTe72vizgQ4xkeAP2tt5/ExTYoagTlvLX3+6Aqvu8y8JnhPFKkIracs4DRoHFclzUr09ObKIbybZTzyEdEPbtWK2RFKOvRXEV4QEVixJuDNkuKQpHob/oPgBrqzsuf2XHvZfInV9ZCCxzU3booidQ1UOl3URpA==
set password-renewal disable
Next
end
You attach the ANQP parameters and SSID to the Hotspot 2.0 profile.
If the Roaming Consortium Unique Identifier (RCOI) and EAP method aren’t set correctly, mobile devices can’t automatically connect (which is intended). If radsecproxy logs are showing an attempt to connect but failing, it means radsecproxy IP addresses are probably correct in the RADIUS authentication and accounting settings, but the EAP settings could be wrong.
Review Configure Hotspot 2.0 and make sure your configuration is correct.
If the IP addresses or secrets used for the primary and secondary servers are wrong, the RADIUS server can’t be contacted. In this situation, radsecproxy logs can’t be generated, because traffic isn’t passing to the wireless LAN controller from radsecproxy.
If no new logs are coming in, it means the SSID isn’t passing traffic to radsecproxy. If this is the case, you should check the RADIUS configuration.
Review Describe WiFi settings and add a RADIUS authentication server and Configure a RADIUS accounting server to make sure your RADIUS configuration is correct.
If the policy for the new SSID interface is missing or isn’t allowing access to the Internet, clients authenticate but indicate “WiFi connected but no Internet”.
Review Configure an IPv4 Policy and make sure your configuration is correct.