Fortinet setup guide

FortiGate + FortiSwitch + FortiAP

Applies to: FortiSwitches and FortiAPs are typically managed by a FortiGate (Security Fabric). RADIUS is defined once on the FortiGate and referenced by managed-switch security policies and SSID definitions. Examples are FortiOS 7.4 CLI.

Wired — RADIUS server, 802.1X and MAB

FortiGate CLI. RADIUS servers, then a security policy applied to the FortiSwitch port.

config user radius
  edit "Edge1"
    set server "10.10.10.10"
    set secret ARBITER_PSK
    set auth-type auto
    set radius-coa enable
    set acct-interim-interval 600
  next
  edit "Edge2"
    set server "10.10.10.11"
    set secret ARBITER_PSK
    set auth-type auto
    set radius-coa enable
  next
end

config user group
  edit "Arbiter-Auth"
    set member "Edge1" "Edge2"
  next
end

config switch-controller security-policy 802-1X
  edit "Arbiter-Wired"
    set user-group "Arbiter-Auth"
    set mac-auth-bypass enable
    set open-auth disable
    set eap-passthru enable
    set guest-vlan disable
    set auth-fail-vlan disable
    set radius-timeout-overwrite enable
    set framevid-apply enable
  next
end

config switch-controller managed-switch
  edit "S224-FPOE-XXXXXXX"
    config ports
      edit "port1"
        set port-security-policy "Arbiter-Wired"
      next
    end
  next
end

Wireless — 802.1X SSID

Corporate 802.1X SSID on a FortiAP, served via the FortiGate.

config wireless-controller vap
  edit "Corp-1x"
    set ssid "Corp"
    set security wpa2-only-enterprise
    set auth radius
    set radius-server "Edge1"
    set dynamic-vlan enable
    set radius-mac-auth disable
    set local-bridging disable
    set vlanid 10
  next
end

Guest SSID — open with captive portal redirect

Open SSID with MAB and a captive portal URL. FortiGate's external captive portal honours RADIUS-supplied redirect or local captive-portal pointing at Arbiter's hosted portal.

config wireless-controller vap
  edit "Guest"
    set ssid "Guest"
    set security captive-portal
    set external-web "https://acme-7f3-guest.arbiter.ie/"
    set radius-mac-auth enable
    set radius-mac-auth-server "Edge1"
    set radius-mac-auth-usergroups "Arbiter-Auth"
    set selected-usergroups "Arbiter-Auth"
    set portal-type external-auth
  next
end

config firewall address
  edit "arbiter-guest-portal"
    set fqdn "acme-7f3-guest.arbiter.ie"
  next
end

DHCP relay to Edge

Per-interface DHCP relay.

config system interface
  edit "vlan10"
    set dhcp-relay-service enable
    set dhcp-relay-ip "10.0.0.5" "10.10.10.10" "10.10.10.11"
  next
end

AAA dead-server detection

Optional but recommended. FortiGate tracks RADIUS availability per server. Set a per-request timeout that produces a 30-second window across four attempts and a 3-minute deadtime so the gateway holds the dead flag instead of probing every new request.

config system global
  set radius-port 1812
end

config user radius
  edit "Edge1"
    set timeout 8           ! ~30s across 4 attempts
    set source-ip 0.0.0.0
  next
  edit "Edge2"
    set timeout 8
    set source-ip 0.0.0.0
  next
end

! Hold the dead flag for 3 minutes before retrying the server
config user setting
  set radius-deadtime 3
end

CoA listener

Per-server CoA is enabled by 'set radius-coa enable' on each user radius entry. Listens on UDP/3799.

(see radius-coa enable on each user radius entry above)