RadSec
      Back to home
      1. Help Center
      2. RadSec

      Using RadSec Secure Radius on Fortigate

      This article outlines the steps necessary to configure the IronWiFi secure Radius over TLS servers on Fortigate / Forti AP devices.

      Enable RadSec support in IronWiFi Console and obtain your RadSec Certificate Bundle

      Go to this link to enable RadSec on your account and download your secure certificate bundle.

      Configure Fortigate / FortiAP to use IronWiFi Secure RadSec Servers

      This guide is based on the FortiOS v7.4 and has to be configured using CLI

      • Go to System > Certificates [if the Certificate are not visible as a menu item, go to System > Feature Visibility and enable them
      • Unpack the zip containing your certificate bundle
      • Select Create/Import > CA Certificate
      • Select Type - File and click on + Upload to open the file selector.
      • Select iw-rsa-root-ca.cert.pem and click OK to upload.
      • Repeat the steps above and upload iw-rsa-radsec-signing-ca.cert.pem
      • You should see both certificates added in the Remote CA section, take a note of the name that has been assigned to RadSec Signing CA, in the example below it is CA_Cert_2

      • Select Create/Import > Certificate
      • Click on Import Certificate
      • Click on Type - Certificate
      • Click on Certificate file and upload yor client certificate from the bundle [ending in crt.pem]
      • Click on Key file and upload your client certificate key from the bundle [ending in key.pem]
      • Click on Create

      • Confirm if the certificate that you have added is visible in Local Certificate section
      • Log in via SSH to your device, or click on >_ in your GUI to open the console
      • Configure the server using the commands below:

      config user radius

      edit IW-RadSec

      set server <your.server.ip>

      set secret radsec

      set acct-interim-interval 600

      set transport-protocol tls

      set auth-type pap

      set ca-cert <your RadSec Issuing CA Name>

      set client-cert <your certificate name>

      set server-identity-check disable

      config accounting-server

      edit 1

      set status enable

      set server <your.server.ip>

      set secret radsec

      end

      end

      next

      • Go to Users & Authentication > Radius Servers, double click on the Radius server name that your have just created and confirm that it shows Successful in Connection Status

      • You can test authentication with your user credentials by clicking on Test User Credentials