Network device onboarding

Fortinet

FortiGate + FortiSwitch + FortiAP

Applies to: FortiSwitches and FortiAPs are typically managed by a FortiGate (Security Fabric). RADIUS is defined once on the FortiGate and referenced by managed-switch security policies and SSID definitions. Examples are FortiOS 7.4 CLI.

Examples assume two Edge appliances at 10.10.10.10 and 10.10.10.11, a tenant PSK shown as ARBITER_PSK and a guest portal URL of https://acme-7f3-guest.arbiter.ie/. Substitute your own values from the Arbiter portal.

For the universal context (architecture, AAA dead-server tuning, DHCP relay intent), see the Network devices overview.

Wired: RADIUS server, 802.1X and MAB

FortiGate CLI. RADIUS servers, then a security policy applied to the FortiSwitch port.

config user radius
  edit "Edge1"
    set server "10.10.10.10"
    set secret ARBITER_PSK
    set auth-type auto
    set radius-coa enable
    set acct-interim-interval 600
  next
  edit "Edge2"
    set server "10.10.10.11"
    set secret ARBITER_PSK
    set auth-type auto
    set radius-coa enable
  next
end

config user group
  edit "Arbiter-Auth"
    set member "Edge1" "Edge2"
  next
end

config switch-controller security-policy 802-1X
  edit "Arbiter-Wired"
    set user-group "Arbiter-Auth"
    set mac-auth-bypass enable
    set open-auth disable
    set eap-passthru enable
    set guest-vlan disable
    set auth-fail-vlan disable
    set radius-timeout-overwrite enable
    set framevid-apply enable
  next
end

config switch-controller managed-switch
  edit "S224-FPOE-XXXXXXX"
    config ports
      edit "port1"
        set port-security-policy "Arbiter-Wired"
      next
    end
  next
end

Wireless: 802.1X SSID

Corporate 802.1X SSID on a FortiAP, served via the FortiGate.

config wireless-controller vap
  edit "Corp-1x"
    set ssid "Corp"
    set security wpa2-only-enterprise
    set auth radius
    set radius-server "Edge1"
    set dynamic-vlan enable
    set radius-mac-auth disable
    set local-bridging disable
    set vlanid 10
  next
end

Guest SSID: open with captive portal redirect

Open SSID with MAB and a captive portal URL. FortiGate's external captive portal honours RADIUS-supplied redirect or local captive-portal pointing at Arbiter's hosted portal.

config wireless-controller vap
  edit "Guest"
    set ssid "Guest"
    set security captive-portal
    set external-web "https://acme-7f3-guest.arbiter.ie/"
    set radius-mac-auth enable
    set radius-mac-auth-server "Edge1"
    set radius-mac-auth-usergroups "Arbiter-Auth"
    set selected-usergroups "Arbiter-Auth"
    set portal-type external-auth
  next
end

config firewall address
  edit "arbiter-guest-portal"
    set fqdn "acme-7f3-guest.arbiter.ie"
  next
end

DHCP relay to Edge

Per-interface DHCP relay.

config system interface
  edit "vlan10"
    set dhcp-relay-service enable
    set dhcp-relay-ip "10.0.0.5" "10.10.10.10" "10.10.10.11"
  next
end

AAA dead-server detection

Optional but recommended. FortiGate tracks RADIUS availability per server. The RADIUS servers are local Edge appliances on your LAN, so keep the per-request timeout short and the deadtime brief: the gateway flips to the second Edge fast and holds the dead flag instead of probing every new request.

config system global
  set radius-port 1812
end

config user radius
  edit "Edge1"
    set timeout 3           ! short, LAN-local server
    set source-ip 0.0.0.0
  next
  edit "Edge2"
    set timeout 3
    set source-ip 0.0.0.0
  next
end

! Hold the dead flag for 1 minute before retrying the server
config user setting
  set radius-deadtime 1
end

CoA listener

Per-server CoA is enabled by 'set radius-coa enable' on each user radius entry. Listens on UDP/3799.

(see radius-coa enable on each user radius entry above)

Notes

  • FortiSwitches in standalone (non-managed) mode have their own CLI very close to Cisco IOS. Refer to the Cisco Catalyst guide as a starting point.
  • The FortiGate must reach acme-7f3-guest.arbiter.ie outbound for the external-web captive portal flow. Ensure DNS and outbound TCP/443 are permitted.

Verify the integration

Once the device is configured, validate against the Arbiter portal rather than the vendor's own RADIUS test tooling. Vendor tools confirm reachability but not policy outcomes. See the validation checklist on the overview page.

Need help?

Onboarding kit not behaving as expected? Email support@arbiter.ie with the device model, firmware version and the syntax you tried. We can usually identify the difference within a working day.

All network device guidesAll guides