WPA2 Enterprise Machine Account authentication via Radius
Corporate laptops and desktops can authenticate to the internal network over wireless through Fortiwifi/FortiAP with their machine account credentials via Radius server.
First IAS must be installed and registered with Active Directory. A Radius client will need to be created for each Fortigate connecting to it.
IAS logging should be enabled to troubleshoot connection issues. Next a remote access policy should be created.
- Add one policy condition with NAS-port-type matching two values: Wireless – IEEE 802.11 and Wireless – other
- Add another policy condition matching the Domain Computers group you are allowing access to the network.
- Grant remote access permission
- Deselect all authentication methods
- Configure an EAP method—the EAP type is Protected EAP; fast reconnect is enabled
- Certification Services needs to be installed, your domain certificate will be chosen.
- Allow only Strongest encryption (MPPE 128 bit)
- Modify the attributes (Advanced tab)—add Ignore-user-dialin-properties and set to True; delete Framed- protocol
On the Fortigate a Radius profile will need to be created.
This Radius server profile will then be used under the authentication settings in the wireless setup
The Windows XP sp3/7/Vista machine will need to have been previously joined to the domain via wired connection. For Windows 7 and Vista The wireless 802.1x should have “Computer Authentication” set as the authentication mode.
For Windows XP a registry entry will need to be added for machine-only authentication.
Registry path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftEAPOLParametersGeneralGlobal Name: AuthMode Type: Dword Value: 2
A firewall policy to allow access from the Virtual Access Point interface to the internal interface would be set up to give access to the domain controller.
The PC should now boot up and authenticate with it’s Computer Account and gain access to the internal network similar to a wired connection. Once a user logs into the computer a logon event will be recorded for the FSSO collector agent and the user will be granted the appropriate internet access via the VAP⟿Internet identity based firewall policies.