Fortinet
FortiGate + FortiSwitch + FortiAP
Examples assume two Edge appliances at 10.10.10.10 and 10.10.10.11, a tenant PSK shown as ARBITER_PSK and a guest portal URL of https://acme-7f3-guest.arbiter.ie/. Substitute your own values from the Arbiter portal.
For the universal context (architecture, AAA dead-server tuning, DHCP relay intent), see the Network devices overview.
Wired: RADIUS server, 802.1X and MAB
FortiGate CLI. RADIUS servers, then a security policy applied to the FortiSwitch port.
config user radius
edit "Edge1"
set server "10.10.10.10"
set secret ARBITER_PSK
set auth-type auto
set radius-coa enable
set acct-interim-interval 600
next
edit "Edge2"
set server "10.10.10.11"
set secret ARBITER_PSK
set auth-type auto
set radius-coa enable
next
end
config user group
edit "Arbiter-Auth"
set member "Edge1" "Edge2"
next
end
config switch-controller security-policy 802-1X
edit "Arbiter-Wired"
set user-group "Arbiter-Auth"
set mac-auth-bypass enable
set open-auth disable
set eap-passthru enable
set guest-vlan disable
set auth-fail-vlan disable
set radius-timeout-overwrite enable
set framevid-apply enable
next
end
config switch-controller managed-switch
edit "S224-FPOE-XXXXXXX"
config ports
edit "port1"
set port-security-policy "Arbiter-Wired"
next
end
next
endWireless: 802.1X SSID
Corporate 802.1X SSID on a FortiAP, served via the FortiGate.
config wireless-controller vap
edit "Corp-1x"
set ssid "Corp"
set security wpa2-only-enterprise
set auth radius
set radius-server "Edge1"
set dynamic-vlan enable
set radius-mac-auth disable
set local-bridging disable
set vlanid 10
next
endGuest SSID: open with captive portal redirect
Open SSID with MAB and a captive portal URL. FortiGate's external captive portal honours RADIUS-supplied redirect or local captive-portal pointing at Arbiter's hosted portal.
config wireless-controller vap
edit "Guest"
set ssid "Guest"
set security captive-portal
set external-web "https://acme-7f3-guest.arbiter.ie/"
set radius-mac-auth enable
set radius-mac-auth-server "Edge1"
set radius-mac-auth-usergroups "Arbiter-Auth"
set selected-usergroups "Arbiter-Auth"
set portal-type external-auth
next
end
config firewall address
edit "arbiter-guest-portal"
set fqdn "acme-7f3-guest.arbiter.ie"
next
endDHCP relay to Edge
Per-interface DHCP relay.
config system interface
edit "vlan10"
set dhcp-relay-service enable
set dhcp-relay-ip "10.0.0.5" "10.10.10.10" "10.10.10.11"
next
endAAA dead-server detection
Optional but recommended. FortiGate tracks RADIUS availability per server. The RADIUS servers are local Edge appliances on your LAN, so keep the per-request timeout short and the deadtime brief: the gateway flips to the second Edge fast and holds the dead flag instead of probing every new request.
config system global
set radius-port 1812
end
config user radius
edit "Edge1"
set timeout 3 ! short, LAN-local server
set source-ip 0.0.0.0
next
edit "Edge2"
set timeout 3
set source-ip 0.0.0.0
next
end
! Hold the dead flag for 1 minute before retrying the server
config user setting
set radius-deadtime 1
endCoA listener
Per-server CoA is enabled by 'set radius-coa enable' on each user radius entry. Listens on UDP/3799.
(see radius-coa enable on each user radius entry above)Notes
- FortiSwitches in standalone (non-managed) mode have their own CLI very close to Cisco IOS. Refer to the Cisco Catalyst guide as a starting point.
- The FortiGate must reach acme-7f3-guest.arbiter.ie outbound for the external-web captive portal flow. Ensure DNS and outbound TCP/443 are permitted.
Verify the integration
Once the device is configured, validate against the Arbiter portal rather than the vendor's own RADIUS test tooling. Vendor tools confirm reachability but not policy outcomes. See the validation checklist on the overview page.
Need help?
Onboarding kit not behaving as expected? Email support@arbiter.ie with the device model, firmware version and the syntax you tried. We can usually identify the difference within a working day.