Define network access

Supply DHCP server information

Describe WiFi settings and add a RADIUS authentication server

Configure an IPv4 Policy

Configure Hotspot 2.0

Configure ANQP Parameters

Configure a RADIUS accounting server

Configure the Hotspot 2.0 profile

Troubleshoot the configuration

RCOI and EAP settings

RADIUS service

IPv4 Policy for SSID interface

Configure FortiGate wireless LAN controller

This guide describes how to set up and test your environment so you can use it with radsecproxy and Orion Wifi:

Log in to the FortiGate Dashboard as a user with administrative privileges.
Configure the wireless LAN.
Configure Hotspot 2.0.
Troubleshoot the configuration.

Log in to the FortiGate Dashboard

To start the configuration process, log in to the FortiGate Dashboard as admin. For existing environments with additional users, log in as a user with administrative privileges.

The FortiGate Dashboard appears. Your access points are displayed in the Security section.

Note: There are a number of options you can set. Only the options that require your input are shown. Default values are used for options that don’t need adjustment.

Configure the wireless LAN

To configure the wireless LAN, you create a new SSID for Orion Wifi, a RADIUS server, and an IPv4 policy.

Create an SSID

Select Wifi & Switch Controller and then SSID in the menu bar on the left of the Dashboard.
Click +Create New at the top left and select SSID.

The New SSID page appears.

Define the SSID interface

When you create an SSID, you’re creating a software interface and allowing traffic on that interface. Before creating the SSID, you define the interface for it.

Enter an Name, such as “Orion”.

Alias is optional.
For Type, select WiFi SSID.
For Traffic Mode, select the traffic mode that’s appropriate for your network.

Set the IP address

Enter the IP address and network mask for the SSID interface.

Define network access

Select HTTPS, HTTP, and RADIUS Accounting. You can select additional options, such as SSH, as appropriate for your network.

Supply DHCP server information

Enter DHCP information that’s appropriate for your network.

Describe WiFi settings and add a RADIUS authentication server

The RADIUS server information you add here is for the RADIUS authentication server. You’ll add RADIUS accounting server information later when you configure Hotspot 2.0.

Enter the name of your SSID, such as “OrionWifi”.
Change Security Mode to WPA2 Enterprise. (WPA Personal is the default.)
For Client MAC Address Filtering, enable RADIUS Server.
Click ⌄ below to enable RADIUS Server.

Click on drop down button and select + to add a RADIUS server.

The New RADIUS Server page appears.
Enter a Name, such as “Local radsecproxy”.
For the Primary Server, enter the IP address of the radsecproxy.
For Secret, enter “radsec”.

Note: Don’t test connectivity at this point. To successfully test connectivity, you need a complete IPv4 policy to allow traffic on the interface.
If there is a secondary RADIUS server, enter its radsecproxy IP address and “radsec” for Secret in the Secondary Server section.

A secondary RADIUS isn’t required but you can create one for high availability.
Click OK at the bottom of the New RADIUS Server page.

You return to the New SSID page.
Select the RADIUS server you added.
Click OK at the bottom of the New SSID page to save your SSID configuration.

Configure an IPv4 Policy

Add an IPv4 allow policy on the FortiGate wireless LAN controller to allow traffic from the SSID to reach the Internet.

Select Policy & Objects and then Firewall Policy in the menu bar on the left of the Dashboard.

Click +Create New at the top left.

The New Policy page appears.
Enter a Name for this policy, such as “Orion_policy”.
For Incoming Interface, enter the name of the SSID interface you created, “Orion_int”.
For Outgoing Interface, enter the name of the Interface in your network that routes traffic to the Internet.
For Source, enter the IP address range from which you want to allow incoming traffic. Or select all to allow incoming traffic from any IP address.
For Destination, select all to send outgoing traffic to any IP address unless you have blacklisted subnets.
For Schedule, select always.
For Service, select ALL.
For Action, select ACCEPT.
Click OK at the bottom of the page to save your configuration.

Configure Hotspot 2.0

Hotspot 2.0 allows mobile devices to join a WiFi network automatically, including during roaming, when the devices enter the Hotspot 2.0 area.

You configure Hotspot 2.0 using a command line interface (CLI). Access the CLI by launching a terminal session or selecting > _ CLI Console at the top right of the Dashboard.

Configure ANQP Parameters

Access Network Query Protocol (ANQP) provides a range of information, such as IP address type and availability, and roaming partners accessible through a hotspot.

Set the ANQP IP address type as appropriate for your network. This example shows a single NATed network.

config wireless-controller hotspot20 anqp-ip-address-type
edit "Fortinet_Address_type"
set ipv4-address-type single-NATed-private
next
end
Configure the ANQP NAI realm and EAP authentication.

config wireless-controller hotspot20 anqp-nai-realm
edit "Fortinet_NAI_Realm"
config nai-list
edit "Fortinet_NAI_List"
set nai-realm "orionwifi.com"
config eap-method
edit 1
set method eap-tls
config auth-param
edit 1
set id credential
set val cred-certificate
next
end
next
end
next
end
next
end
Configure the ANQP roaming consortium.

config wireless-controller hotspot20 anqp-roaming-consortium
edit "Fortinet_RCOI"
config oi-list
edit 1
set oi "f4f5e8f5f4"
set comment "Orionwifi"
next
end
next
end
Configure the ANQP venue name.

config wireless-controller hotspot20 anqp-venue-name
edit "Fortinet_Venue"
config value-list
edit 1
set value "English"
next
end
next
end
Use the show command to verify the configuration. The output should look similar to this example.

config wireless-controller hotspot20 anqp-ip-address-type
show
edit "Fortinet_Address_type"
set ipv4-address-type single-NATed-private
next
end

config wireless-controller hotspot20 anqp-nai-realm

show
edit "Fortinet_NAI_Realm"
config nai-list
edit "Fortinet_NAI_List"
set nai-realm "orionwifi.com"
config eap-method
edit 1
set method eap-tls
config auth-param
edit 1
set id credential
set val cred-certificate
next
end
next
end
next
end
next
end
config wireless-controller hotspot20 anqp-roaming-consortium

show
edit "Fortinet_RCOI"
config oi-list
edit 1
set oi "f4f5e8f5f4"
set comment "Orionwifi"
next
end
next
end
config wireless-controller hotspot20 anqp-venue-name

show
edit "Fortinet_Venue"
config value-list
edit 1
set value “English”
next
end
next
end

Configure a RADIUS accounting server

Configure a RADIUS accounting server.

config user radius

edit 1

set server <radsecproxy IP address>

set secret radsec

end

Use the show command to verify the configuration. The output should look similar to this example. Notice that the secret is encrypted.

config user radius

show

config user radius

edit "Radsec"

set server "13.52.128.197"

set secret ENC ZRieGIlI/MpBaOWpgc5TAbRdmok4qXr+pIg0C8iCWTe72vizgQ4xkeAP2tt5/ExTYoagTlvLX3+6Aqvu8y8JnhPFKkIracs4DRoHFclzUr09ObKIbybZTzyEdEPbtWK2RFKOvRXEV4QEVixJuDNkuKQpHob/oPgBrqzsuf2XHvZfInV9ZCCxzU3booidQ1UOl3URpA==

set password-renewal disable

end

Configure the Hotspot 2.0 profile

You attach the ANQP parameters and SSID to the Hotspot 2.0 profile.

Attach the ANQP parameters to the Hotspot 2.0 profile.
config wireless-controller hotspot20 hs-profile
edit "Hotspot"
set domain-name "orionwifi.com"
set roaming-consortium "Fortinet_RCOI"
set nai-realm "Fortinet_NAI_Realm"
set ip-addr-type "Fortinet_Address_type"
next
end
Attach the Hotspot 2.0 profile to the SSID.
config wireless-controller vap
edit "Orion"
set hotspot20-profile "Hotspot"
next
end
Use the show command to verify the configuration. The output should look similar to this example.

config wireless-controller vap
show
edit "Orion"
set vdom "root"
set ssid "OrionWifi"
set security wpa2-only-enterprise
set auth radius
set radius-server "Local radsecproxy"
set schedule "always"
set hotspot20-profile "Hotspot"
next
end

Troubleshoot the configuration

RCOI and EAP settings

If the Roaming Consortium Unique Identifier (RCOI) and EAP method aren’t set correctly, mobile devices can’t automatically connect (which is intended). If radsecproxy logs are showing an attempt to connect but failing, it means radsecproxy IP addresses are probably correct in the RADIUS authentication and accounting settings, but the EAP settings could be wrong.

Review Configure Hotspot 2.0 and make sure your configuration is correct.

RADIUS service

If the IP addresses or secrets used for the primary and secondary servers are wrong, the RADIUS server can’t be contacted. In this situation, radsecproxy logs can’t be generated, because traffic isn’t passing to the wireless LAN controller from radsecproxy.

If no new logs are coming in, it means the SSID isn’t passing traffic to radsecproxy. If this is the case, you should check the RADIUS configuration.

Review Describe WiFi settings and add a RADIUS authentication server and Configure a RADIUS accounting server to make sure your RADIUS configuration is correct.

IPv4 Policy for SSID interface

If the policy for the new SSID interface is missing or isn’t allowing access to the Internet, clients authenticate but indicate “WiFi connected but no Internet”.

Review Configure an IPv4 Policy and make sure your configuration is correct.