To set up RADIUS for Fortinet, add a RADIUS server in FortiGate under User & Authentication pointing to the RADIUS server IP assigned in the IronWiFi Console with the assigned port and shared secret. Create a WPA2-Enterprise SSID on the FortiAP wireless controller referencing the RADIUS server, then configure a firewall policy allowing RADIUS traffic from FortiGate to the RADIUS server IPs shown in the IronWiFi Console. FortiGate proxies 802.1X authentication requests from FortiAP clients to the Cloud RADIUS server.
Fortinet's FortiGate firewalls serve as both network security appliances and wireless controllers for FortiAP access points. This integrated architecture means RADIUS authentication for wireless clients passes through the FortiGate, which adds a layer of control but also requires specific firewall policy configuration. This guide covers the complete setup of IronWiFi Cloud RADIUS with the Fortinet wireless stack.
Why Use RADIUS with Fortinet?
FortiGate supports WPA2-Personal (PSK) out of the box, but enterprise environments need stronger authentication. RADIUS with Fortinet provides:
- Individual user credentials - Every person authenticates with their own identity instead of a shared password
- Certificate-based authentication - Deploy EAP-TLS for passwordless device authentication
- Dynamic VLAN assignment - Place users into different VLANs based on role or device type via RADIUS attributes
- Integration with FortiGate security - Combine RADIUS identity with FortiGate firewall policies for identity-based access control
- Centralized access management - Grant or revoke WiFi access from the IronWiFi console without touching FortiGate
- Identity provider integration - Authenticate against Microsoft Entra ID, Google Workspace, Okta, or LDAP directories
Prerequisites
Before starting the configuration, ensure you have:
- FortiGate admin access - GUI or CLI access with super_admin or equivalent privileges
- FortiAP access points - Connected to and managed by the FortiGate
- IronWiFi account - Talk to Sales
Trusted by 1,000+ organizations across 108 countries
Frequently Asked Questions
In the FortiGate GUI, navigate to User & Authentication > RADIUS Servers and click Create New. Enter a name for the server, the IronWiFi RADIUS server IP address, and the shared secret. Set the authentication and accounting ports to the values shown in your IronWiFi Console. You can also configure this via CLI using the 'config user radius' command.
All current FortiOS versions (6.x and 7.x) support external RADIUS servers for wireless authentication. The GUI path for RADIUS server configuration may vary slightly between versions, but the functionality is consistent. FortiOS 7.0+ provides an improved wireless controller interface with better RADIUS integration options.
Yes. FortiGate requires an explicit firewall policy to allow RADIUS traffic from the FortiAP interface to the IronWiFi RADIUS server IPs. Create a policy allowing UDP traffic on the RADIUS authentication and accounting ports assigned in your IronWiFi Console from the FortiAP source interface to the RADIUS server destination. Without this policy, RADIUS packets are dropped by the FortiGate firewall.
Yes. When FortiAP access points are managed by a FortiGate controller, the FortiGate handles RADIUS communication on behalf of the APs. Configure the RADIUS server in FortiGate's User & Authentication section, then reference it in the SSID profile. The FortiGate sends RADIUS requests using its own IP, so register the FortiGate's WAN IP as the authorized client in IronWiFi.
RADIUS timeouts on FortiGate usually have these causes: (1) Missing firewall policy allowing UDP traffic on the assigned RADIUS ports from FortiGate to the RADIUS server. (2) Incorrect RADIUS server IP or shared secret. (3) The FortiGate WAN IP is not registered as an authorized client in IronWiFi. (4) NAT is modifying the source IP of RADIUS packets. Check FortiGate diagnose commands: 'diagnose test authserver radius <server-name> <user> <password>' to test connectivity.