Fortinet RADIUS Setup Guide: Configure IronWiFi with FortiGate & FortiAP

To set up RADIUS for Fortinet, add a RADIUS server in FortiGate under User & Authentication pointing to the IronWiFi server IP on port 1812 with a shared secret. Create a WPA2-Enterprise SSID on the FortiAP wireless controller referencing the RADIUS server, then configure a firewall policy allowing RADIUS traffic (UDP 1812/1813) from FortiGate to the IronWiFi server IPs. FortiGate proxies 802.1X authentication requests from FortiAP clients to the Cloud RADIUS server.

Fortinet's FortiGate firewalls serve as both network security appliances and wireless controllers for FortiAP access points. This integrated architecture means RADIUS authentication for wireless clients passes through the FortiGate, which adds a layer of control but also requires specific firewall policy configuration. This guide covers the complete setup of IronWiFi Cloud RADIUS with the Fortinet wireless stack.

Why Use RADIUS with Fortinet?

FortiGate supports WPA2-Personal (PSK) out of the box, but enterprise environments need stronger authentication. RADIUS with Fortinet provides:

• Individual user credentials - Every person authenticates with their own identity instead of a shared password
• Certificate-based authentication - Deploy EAP-TLS for passwordless device authentication
• Dynamic VLAN assignment - Place users into different VLANs based on role or device type via RADIUS attributes
• Integration with FortiGate security - Combine RADIUS identity with FortiGate firewall policies for identity-based access control
• Centralized access management - Grant or revoke WiFi access from the IronWiFi console without touching FortiGate
• Identity provider integration - Authenticate against Azure AD, Google Workspace, Okta, or LDAP directories

Prerequisites

Before starting the configuration, ensure you have:

• FortiGate admin access - GUI or CLI access with super_admin or equivalent privileges
• FortiAP access points - Connected to and managed by the FortiGate
• IronWiFi account - Sign up for a free trial if you do not have one
• Firewall access - Ability to create policies allowing outbound UDP on ports 1812 and 1813
• A test client device - Laptop or phone that supports WPA2-Enterprise

Step 1: Create a RADIUS Profile in IronWiFi

Start by configuring the RADIUS server in IronWiFi.

1. Log into the IronWiFi Console at console.ironwifi.io and navigate to Networks.
2. Create a new Network by clicking Add Network. Name it descriptively (e.g., "Fortinet Corporate WiFi").
3. Note the RADIUS server details:
   • Primary server: 35.174.127.31
   • Secondary server: 44.199.225.113
   • Authentication port: 1812
   • Accounting port: 1813
   • Shared secret: YOUR_SHARED_SECRET
4. Add your FortiGate WAN IP as an authorized client. Since FortiGate proxies RADIUS requests for FortiAP, use the FortiGate's public-facing IP address.
5. Configure authentication sources - Connect Azure AD, Google Workspace, Okta, or create local user accounts.

Step 2: Add RADIUS Server in FortiGate

Configure FortiGate to communicate with the IronWiFi RADIUS server.

Using the FortiGate GUI

1. Log into the FortiGate web interface and navigate to User & Authentication > RADIUS Servers.
2. Click Create New.
3. Enter the following:
   • Name: IronWiFi-Primary
   • Primary Server IP/Name: 35.174.127.31
   • Primary Server Secret: YOUR_SHARED_SECRET
   • Secondary Server IP/Name: 44.199.225.113
   • Secondary Server Secret: YOUR_SHARED_SECRET
4. Under Authentication method, select Specify and choose PAP, MSCHAP, MSCHAP2 (or leave as Default for auto-negotiation).
5. Click OK to save.

Using FortiGate CLI

Alternatively, configure via CLI:

config user radius
  edit "IronWiFi-Primary"
    set server "35.174.127.31"
    set secret YOUR_SHARED_SECRET
    set secondary-server "44.199.225.113"
    set secondary-secret YOUR_SHARED_SECRET
    set radius-port 1812
    set acct-interim-interval 600
  next
end

Step 3: Create SSID with WPA2-Enterprise

Create a wireless SSID on FortiGate that uses the IronWiFi RADIUS server.

1. Navigate to WiFi & Switch Controller > SSIDs and click Create New > SSID.
2. Configure the interface:
   • Name: CorpNet-Secure
   • Traffic Mode: Tunnel (recommended for RADIUS)
   • IP/Network Mask: Assign a subnet for wireless clients or use DHCP relay
3. Under WiFi Settings:
   • SSID: CorpNet-Secure
   • Security Mode: WPA2-Enterprise
   • Authentication: RADIUS Server
   • RADIUS Server: Select "IronWiFi-Primary"
4. Enable RADIUS Accounting and point it to the same server.
5. Under FortiAP Profiles, assign this SSID to the appropriate AP profile.
6. Click OK to save.

Step 4: Configure Firewall Policies

FortiGate requires explicit firewall policies for RADIUS traffic. This is a step that other vendor platforms handle implicitly, but FortiGate's security-first architecture means you must allow it.

RADIUS Traffic Policy

1. Navigate to Policy & Objects > Firewall Policy and click Create New.
2. Configure the policy:
   • Name: Allow-RADIUS-IronWiFi
   • Incoming Interface: any (or the FortiGate loopback)
   • Outgoing Interface: WAN interface
   • Source: FortiGate address
   • Destination: Create address objects for 35.174.127.31 and 44.199.225.113
   • Service: RADIUS (UDP 1812, 1813)
   • Action: Accept
3. Click OK to save.

Wireless Client Traffic Policy

You also need a policy allowing authenticated wireless clients to access the network:

1. Create a second firewall policy with:
   • Incoming Interface: The SSID interface (CorpNet-Secure)
   • Outgoing Interface: WAN or internal LAN interfaces
   • Source: all
   • Destination: all
   • Action: Accept
2. Apply security profiles (web filter, antivirus, IPS) as needed.

Step 5: Test Authentication

FortiGate RADIUS Test Tool

Use the FortiGate CLI to test RADIUS connectivity before trying with a client device:

diagnose test authserver radius IronWiFi-Primary pap testuser testpassword

A successful test returns "authenticate response: Access-Accept". If it returns "timeout", check your firewall policy and shared secret.

Test with a Client Device

1. On a test laptop or phone, search for the configured SSID and select it.
2. Enter the username and password (for PEAP) or select the certificate (for EAP-TLS).
3. Accept the server certificate prompt on first connection.
4. Once connected, verify the IP address and VLAN assignment.
5. Check logs on both FortiGate (Log & Report > WiFi Events) and IronWiFi (Logs > Authentication).

Troubleshooting

RADIUS Timeout (No Response)

• Missing firewall policy - The most common issue on FortiGate. Verify a policy exists allowing UDP 1812/1813 from FortiGate to the IronWiFi server IPs.
• Source IP mismatch - FortiGate sends RADIUS from its WAN IP. Ensure this IP is registered in IronWiFi as an authorized client.
• NAT translation - If FortiGate is behind another NAT device, the source IP seen by IronWiFi may differ from FortiGate's WAN IP. Check with a packet capture.
• Wrong server IP - Verify the RADIUS server IP in FortiGate matches what IronWiFi provided.

Authentication Rejected (Access-Reject)

• Wrong credentials - Verify username and password in IronWiFi. Authentication is case-sensitive.
• Shared secret mismatch - Re-enter the secret in both FortiGate and IronWiFi.
• Authentication method - Ensure the FortiGate RADIUS server configuration uses a compatible authentication method. Default or MSCHAP2 works for PEAP.
• Disabled account - Check the user account status in IronWiFi.

FortiGate Diagnostic Commands

Useful CLI commands for debugging:

# Test RADIUS authentication
diagnose test authserver radius IronWiFi-Primary pap testuser testpassword

# Show RADIUS server status
get user radius

# Debug RADIUS communication
diagnose debug application radiusd -1
diagnose debug enable