FortiGate - Passpoint Configuration
Configure Passpoint (Hotspot 2.0) on Fortinet FortiGate and FortiAP access points to enable automatic WiFi authentication through IronWiFi's cloud RADIUS service. This eliminates manual network selection and provides WPA2/WPA3-Enterprise security across your wireless infrastructure.
Supported Platforms
- FortiGate - Integrated wireless controller
- FortiAP - Managed access points
- FortiWLC - Standalone wireless controller
Prerequisites
In FortiGate:
- FortiGate with FortiOS 6.4 or later
- FortiAP with firmware supporting Hotspot 2.0
- Valid FortiCare license for wireless features
In IronWiFi Console (complete these first):
- Log in to IronWiFi Management Console
- Navigate to Networks > select your network
- Enable Passpoint
- Note the following:
- RADIUS Server IPs
- RADIUS Secret
- NAI Realm
- Roaming Consortium OIs
FortiGate Configuration
GUI Configuration
Step 1: Configure RADIUS Server
- Log in to FortiGate GUI
- Go to User & Authentication > RADIUS Servers
- Click Create New
- Configure:
- Name: IronWiFi
- Primary Server IP/Name: IronWiFi RADIUS IP
- Primary Server Secret: Your RADIUS secret
- Authentication Port: Customer Authentication Port
- Accounting Port: Customer Accounting Port
- Click OK
Step 2: Create User Group
- Go to User & Authentication > User Groups
- Click Create New
- Configure:
- Name: Passpoint-Users
- Type: Firewall
- Remote Groups: Add IronWiFi RADIUS server
- Click OK
Step 3: Configure Hotspot 2.0 Profile
- Go to WiFi & Switch Controller > Hotspot 2.0
- Click Create New under HS2.0 Profiles
- Configure:
General:
- Name: IronWiFi-Passpoint
- Internet: Enable
- Hotspot 2.0: Enable
Venue Information:
- Venue Group: Business
- Venue Type: Unspecified
Network Authentication Type:
- Type: Acceptance of terms and conditions (or as needed)
Step 4: Configure Domain Name
- In HS2.0 profile, find Domain Name
- Add:
ironwifi.net
Step 5: Configure Roaming Consortium
-
Go to Hotspot 2.0 > HS2.0 Roaming Consortium
-
Click Create New
-
Add:
- Name: OpenRoaming-Settlement-Free
- OI:
5A03BA0000
-
Repeat for:
- Name: Cisco-OpenRoaming
- OI:
004096
-
Associate with HS2.0 profile
Step 6: Configure NAI Realm
- Go to Hotspot 2.0 > HS2.0 NAI Realm
- Click Create New
- Configure:
- Name: IronWiFi-Realm
- NAI:
ironwifi.com - Encoding: UTF-8
- EAP Method: EAP-TTLS
- Auth: Credentials
- Inner EAP: PAP
- Associate with HS2.0 profile
Step 7: Create SSID
- Go to WiFi & Switch Controller > SSIDs
- Click Create New
- Configure:
Interface:
- Name: Passpoint
- Type: WiFi SSID
WiFi Settings:
- SSID: Passpoint
- Security Mode: WPA2-Enterprise
- Authentication: RADIUS Server (IronWiFi)
Hotspot 2.0:
- Hotspot 2.0: Enable
- HS2.0 Profile: IronWiFi-Passpoint
- Click OK
Step 8: Apply to FortiAP
- Go to WiFi & Switch Controller > Managed FortiAPs
- Select target APs
- Assign SSID profile
- Apply configuration
CLI Configuration
Advanced Configuration
3GPP Cellular Information
For carrier integration:
WAN Metrics
Configure link metrics:
Connection Capability
Define allowed protocols:
Operator Icons
Add operator branding:
Firewall Policy
Create policy for Passpoint users:
Troubleshooting
Network Not Discovered
-
Verify Hotspot 2.0 Status
diagnose wireless-controller wlac -c vap -
Check HS2.0 Profile
diagnose wireless-controller wlac -c hs20 -
Verify FortiAP Configuration
diagnose wireless-controller wlac -c wtp
Authentication Failures
-
Test RADIUS Connectivity
-
Check RADIUS Debug
-
Review Logs
Debug Commands
Best Practices
- Firmware: Use FortiOS 7.0+ for best Passpoint support
- FortiAP: Ensure APs support Hotspot 2.0 (check datasheet)
- Testing: Test with multiple Passpoint clients
- Monitoring: Use FortiAnalyzer for detailed logs
- Security: Implement proper firewall policies
- Redundancy: Configure backup RADIUS servers
Related Topics
Same vendor
Standards & reference
Was this page helpful?