Fortigate – Wireless Single Sign on (WSSO)


This is an example of wireless single-sign-on with a Fortigate. All users would authenticate with their AD credentials and the Radius server returns which group they belong to so the appropriate security policy can be applied. This assumes WPA2 Enterprise is already configured and working in NPS.

The below example simulates a school environment where teachers and students will be subjected to different security policies.

First make sure the SSID is configured with authentication pointing to a Radius server:

Next make sure user groups are configured on the Fortigate, these will be simple firewall groups with no local or remote members.

StudentGroup and TeacherGroup have been created:


Next an identity based firewall policy is created  (SSID—> Wan1), both TeacherGroup and StudentGroup are configured with their respective webfilter policies.

Now NPS need to be configured to send the “Fortinet-Group-Name” attribute back to the Fortigate upon user logon.

In NPS under Policies –> Network Policies edit the desired Group.

In the Settings tab choose Radius Attributes –> Vendor Specific

Add Vendor: Custom  —> Vendor-Specific

Add again Vendor Code: 12356, select Yes it Conforms

Configure Attribute –> Vendor Assigned attribute number: 1, Attribute Format: String, Attribute value: StudentGroup


You should be all set for firewall policies to match the group name returned by NPS. Looked at logged on user under User&Device –> Monitor —> Firewall, look for method WSSO

Leave a Reply