Fortinet

FortiGate Integration

Configure FortiGate firewalls and FortiAP wireless access points to authenticate with NetKey RADIUS for WPA2/WPA3-Enterprise and MAC authentication.

FortiOS Version

This guide applies to FortiOS 7.x. Configuration may vary slightly for older versions.

Prerequisites

  • FortiGate with FortiOS 7.0 or later
  • FortiAP access points managed by FortiGate
  • Network connectivity to NetKey RADIUS
  • NetKey Group configured with RADIUS secret
Finding Your RADIUS Server Details

Log in to app.netkey.noSettings → RADIUS Clients to find your RADIUS server IP/hostname and create a shared secret for your FortiGate.

GUI Configuration

Add RADIUS Server

1

Navigate to User & Authentication → RADIUS Servers

2

Click Create New:

Name NetKey-RADIUS
Authentication Method Specify
Primary Server IP your-radius-server
Primary Server Secret Your NetKey RADIUS secret
3

Configure Authentication/Accounting:

Authentication Port 1812
Accounting Port 1813
Include All User Groups Disabled
4

Click Test Connectivity to verify

Create User Group

5

Navigate to User & Authentication → User Groups

6

Click Create New:

Name WiFi-Users
Type Firewall
Remote Groups Add → NetKey-RADIUS → Any

Create SSID

7

Navigate to WiFi & Switch Controller → SSIDs

8

Click Create NewSSID:

Name Corporate-WiFi
Traffic Mode Tunnel (or Bridge)
IP/Network Mask Configure as needed
9

Configure Security:

Security Mode WPA2 Enterprise
Authentication RADIUS Server
RADIUS Server NetKey-RADIUS
10

Assign to FortiAP profile and click OK

CLI Configuration

For scripting or automation, use CLI commands.

Add RADIUS Server

FortiOS CLI 
config user radius
    edit "NetKey-RADIUS"
        set server "your-radius-server"
        set secret "YourRADIUSSecret"
        set radius-port 1812
        set acct-interim-interval 600
        set source-ip 0.0.0.0
    next
end

Create User Group

FortiOS CLI 
config user group
    edit "WiFi-Users"
        set member "NetKey-RADIUS"
    next
end

Create Wireless SSID

FortiOS CLI 
config wireless-controller vap
    edit "Corporate-WiFi"
        set ssid "Corporate-WiFi"
        set security wpa2-only-enterprise
        set auth radius
        set radius-server "NetKey-RADIUS"
        set local-bridging enable
        set schedule "always"
        set broadcast-ssid enable
    next
end

MAC Authentication

Use MAC authentication for devices that can't do 802.1X.

Enable MAC-Based Authentication

FortiOS CLI 
config wireless-controller vap
    edit "IoT-WiFi"
        set ssid "IoT-Network"
        set security wpa2-only-personal
        set passphrase "FallbackPSK123"
        set mac-filter enable
        set mac-filter-policy-other allow
        set mac-auth enable
        set mac-auth-radius "NetKey-RADIUS"
        set radius-mac-auth enable
        set radius-mac-auth-server "NetKey-RADIUS"
    next
end

MAC Format Configuration

FortiGate sends MAC in format: aa-bb-cc-dd-ee-ff (lowercase with hyphens)

Configure NetKey to match in Group Settings → RADIUS → MAC Format.

Change MAC Format (CLI) 
config wireless-controller setting
    set mac-format xx:xx:xx:xx:xx:xx
end

Dynamic VLAN Assignment

FortiGate supports dynamic VLAN from RADIUS responses.

Enable RADIUS VLAN Override

FortiOS CLI 
config wireless-controller vap
    edit "Corporate-WiFi"
        set radius-mac-auth-enable-vlan enable
        set vlanid 1
        set vlan-auto enable
    next
end

Configure VLAN Interfaces

FortiOS CLI 
config system interface
    edit "vlan100"
        set vdom "root"
        set ip 10.100.0.1 255.255.255.0
        set allowaccess ping
        set device-identification enable
        set role lan
        set interface "internal"
        set vlanid 100
    next
end

RADIUS Response

NetKey returns standard tunnel attributes:

RADIUS Access-Accept 
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = "100"

User Groups via RADIUS

Map NetKey groups to FortiGate user groups using Filter-Id.

Configure Group Matching

FortiOS CLI 
config user radius
    edit "NetKey-RADIUS"
        set group-override-attr-type filter-id
    next
end

config user group
    edit "Employees"
        set group-type firewall
        config match
            edit 1
                set server-name "NetKey-RADIUS"
                set group-name "employees"
            next
        end
    next
    edit "Guests"
        config match
            edit 1
                set server-name "NetKey-RADIUS"
                set group-name "guests"
            next
        end
    next
end

NetKey returns the group via Filter-Id attribute:

RADIUS Response 
Filter-Id = "employees"

FortiAP Profile

Assign the SSID to a FortiAP profile.

FortiOS CLI 
config wireless-controller wtp-profile
    edit "FAP-Default"
        config radio-1
            set band 802.11ax-5G
            set vap-all disable
            set vaps "Corporate-WiFi"
        end
        config radio-2
            set band 802.11ax,802.11ac
            set vap-all disable
            set vaps "Corporate-WiFi"
        end
    next
end

Verification

Test RADIUS Connectivity

FortiOS CLI 
diagnose test authserver radius NetKey-RADIUS pap testuser testpass

View Connected Clients

FortiOS CLI 
diagnose wireless-controller wlac -c sta
diagnose wireless-controller wlac -d sta

View RADIUS Debug

FortiOS CLI 
diagnose debug application radiusd -1
diagnose debug enable

Troubleshooting

  • Verify RADIUS server IP and port are correct
  • Check shared secret matches exactly (case-sensitive)
  • Ensure firewall policy allows UDP 1812/1813 outbound
  • Check NetKey logs for incoming requests
  • Verify SSID is assigned to FortiAP profile
  • Check FortiAP is properly managed and online
  • Ensure RADIUS server is correctly assigned to SSID
  • Check client supplicant settings (EAP method)
  • Verify vlan-auto is enabled on the VAP
  • Ensure VLAN interface exists on FortiGate
  • Check RADIUS returns Tunnel-Private-Group-ID
  • Review FortiGate wireless debug logs