Skip to main contentSkip to search
Skip to main content

FortiGate - RadSec Configuration

Configure RadSec (RADIUS over TLS) on FortiGate wireless controllers and FortiAP access points for secure OpenRoaming authentication with IronWiFi. This guide covers certificate installation via GUI, CLI-based RadSec configuration, and Hotspot 2.0 profile creation for FortiOS 7.x deployments.

Quick Start

  1. Enable RadSec and OpenRoaming in IronWiFi Console
  2. Download certificate bundle
  3. Import certificates via FortiGate GUI (System > Certificates)
  4. Configure RADIUS server with RadSec via CLI
  5. Create Hotspot 2.0 profile with OpenRoaming OIs
  6. Apply to wireless VAP

Prerequisites

In FortiGate:

  • FortiGate with FortiOS 7.0 or later
  • FortiAP access points
  • CLI access (required for RadSec configuration)

In IronWiFi Console (complete these first):

  1. Create or select a Network in the IronWiFi Console
  2. Enable OpenRoaming from the dropdown menu
  3. Enable RadSec from the dropdown menu
  4. Download the certificate bundle (ZIP file containing Root CA, Intermediate CA, client certificate, and private key)

Important Note

FortiGate RadSec configuration requires CLI access. The GUI does not support all RadSec settings.

Certificate Installation

Upload Certificates via GUI

  1. Log in to FortiGate web interface

  2. Go to System > Certificates

  3. Import CA certificates:

    • Click Import > CA Certificate
    • Upload 
      iw-rsa-root-ca.cert.pem
    • Name: 
      IronWiFi-Root-CA
    • Upload 
      iw-rsa-radsec-signing-ca.cert.pem
    • Name: 
      IronWiFi-RadSec-CA

  4. Import client certificate:

    • Click Import > Local Certificate
    • Upload 
      client.cert.pem
      and 
      client.key.pem
    • Name: 
      IronWiFi-RadSec-Client

Verify Certificates

After import, certificates should appear in:

  • Remote CA Certificates: IronWiFi-Root-CA, IronWiFi-RadSec-CA
  • Local Certificates: IronWiFi-RadSec-Client

CLI Configuration

Configure RADIUS Server with RadSec

Connect to FortiGate CLI and configure:

Key Parameters Explained

ParameterValueDescription
server
radsec.ironwifi.comRadSec server address
secret
""Empty for RadSec (uses certs)
radius-port
2083Standard RadSec port
transport-protocol
tlsEnable RadSec
ca-cert
IronWiFi-Root-CACA for server verification
client-cert
IronWiFi-RadSec-ClientClient certificate

Configure User Group

Wireless Configuration

Create SSID with Passpoint

Configure Hotspot 2.0 Profile

Configure NAI Realm

Complete Configuration Script

Copy and paste this complete configuration:

Firewall Policy

Create firewall policy for RadSec users:

Verification

Check RADIUS Configuration

diagnose test authserver radius IronWiFi-RadSec

Check RadSec Connection

Check Certificate Status

Monitor Authentication

diagnose wireless-controller wlac -c sta

Troubleshooting

RadSec Connection Failures

  1. Certificate Issues

  2. Verify Certificates

    • Check certificate validity
    • Ensure CA chain is complete
    • Verify client cert matches key

  3. Network Issues

    • Verify port 2083 open outbound
    • Check DNS resolution
    • Test connectivity to RadSec server

Authentication Problems

  1. Check RADIUS Events

  2. Review FortiAnalyzer (if available)

    • Check RADIUS authentication logs
    • Look for rejection reasons

Common Errors

ErrorCauseSolution
"TLS handshake failed"Cert issueRe-import certificates
"Connection timeout"Port blockedCheck firewall rules
"Certificate verify failed"CA not trustedImport complete CA chain
"No matching realm"NAI configVerify realm configuration

Best Practices

  1. Use FortiOS 7.x: Better RadSec support
  2. CLI Configuration: Required for full RadSec setup
  3. Monitor Certificates: Track expiration dates
  4. Test Connectivity: Verify RadSec before production
  5. Backup Configuration: Save working config
  6. Use FortiAnalyzer: For detailed logging

Same vendor

Standards & reference

Was this page helpful?