FortiGate
Integrate Fortinet FortiGate wireless controllers with IronWiFi's RADIUS authentication and external captive portal. This guide covers RADIUS server configuration, user group creation, external captive portal setup, firewall policy configuration, exempt list (walled garden) setup, WPA-Enterprise deployment, and optional RadSec for encrypted RADIUS communications.
Prerequisites
In FortiGate:
- FortiGate device with wireless capability
- Admin access to FortiGate web interface or CLI
- Network configured for guest WiFi
In IronWiFi Console (complete these first):
- Create a Network in IronWiFi Console
- Create a Captive Portal with vendor Fortinet
- Note your RADIUS settings (Primary IP, Backup IP, Secret) and Splash Page URL
FortiGate Configuration
Step 1: Configure RADIUS Server
- Navigate to User & Authentication → RADIUS Servers
- Click Create New
- Configure:
- Name: IronWiFi
- Primary Server IP:
{Primary IP} - Primary Server Secret:
{Secret} - Secondary Server IP:
{Backup IP} - Authentication Scheme: Use default
Step 2: Test RADIUS Connection
Always test RADIUS connectivity before proceeding with portal configuration. If the test fails here, the captive portal will not work regardless of other settings.
- Click Test Connectivity
- Enter test user credentials
- Verify "Access-Accept" response
Step 3: Create User Group
- Navigate to User & Authentication → User Groups
- Click Create New
- Configure:
- Name: IronWiFi-Users
- Type: Firewall
- Remote Groups: Add IronWiFi RADIUS
Step 4: Configure Captive Portal
- Navigate to WiFi & Switch Controller → WiFi
- Select your SSID
- Configure Security:
- Security Mode: Captive Portal
- Portal Type: External
- External Captive Portal URL:
{Splash Page URL}
Step 5: Configure Firewall Policy
The firewall policy order matters. Place the exemption policy (allowing pre-auth access to IronWiFi) above the captive portal policy, or unauthenticated users will not be able to reach the splash page.
Create policy for guest network:
- Navigate to Policy & Objects → Firewall Policy
- Create new policy:
- Incoming Interface: WiFi interface
- Outgoing Interface: WAN
- Source: Guest network
- Destination: All
- Service: ALL
- Action: Accept
- Security Profiles: As needed
Step 6: Exempt List (Walled Garden)
Configure addresses that guests can access before authentication:
-
Navigate to Policy & Objects → Addresses
-
Create address for IronWiFi:
- Name: IronWiFi-Splash
- IP/Netmask:
107.178.250.42/32
-
Create exemption policy allowing pre-auth access
If you're using social login or payment providers, add these domains to your walled garden:
| Provider | Required Entries |
|---|---|
| |
| |
| |
| Twitter/X | |
| Apple | |
| Microsoft Entra ID | |
| Stripe | |
| PayPal | |
| Twilio (SMS) | |
CLI Configuration
RadSec Configuration
RadSec (RADIUS over TLS) encrypts all authentication traffic between FortiGate and IronWiFi. This is recommended for production deployments and required for OpenRoaming federation compliance.
For RADIUS over TLS:
- Enable RadSec in IronWiFi
- Download certificates
- In FortiGate:
WPA-Enterprise
For 802.1X:
Troubleshooting
If you encounter issues after configuration, use this table to diagnose and resolve common problems:
| Symptom | Cause | Solution |
|---|---|---|
| RADIUS connection failed | Incorrect server settings or firewall blocking | Verify server IP and port, check shared secret, test firewall rules, use |
| Captive portal not showing | Incorrect portal configuration | Verify portal type is external, check external URL is correct, confirm exempt list allows splash page access |
| Authentication issues | User group or RADIUS misconfiguration | Check user group configuration, verify RADIUS server association, review authentication logs with |
Related Topics
For this vendor
Shared configuration
Was this page helpful?