To use the RadSec feature on your FortiGate and FortiAPs, firmware FortiOS 7.4.0 or later is required.

Prepare Certificates

  1. Download the root certificate of the CA that has issued your RADIUS server certificate as described here

  2. Create a client certificate for your Access Points. If you are using SCEPman Certificate Master, the process is described here

  3. Add the root certificate of the CA that has issued the client certificate on your Access Point to your RADIUS instance as described here and select RadSec for the trusted certificate type.

FortiGate configuration

To configure RadSec on your FortiGate AP please follow the steps below:

  • Create new RADIUSServer and add your RadSec server ip address and secret, the fixed shared secret is "radsec"

  • Import the root certificate of your RaaS to FortiGate Certificates System > Certificates > Import > CA Certificate

The imported RootCA will be listed under Remote CA Certificate

  • Import the client certificate to your FortiGate (FortiOS 7.4.0 supports PKCS#12 certificates) System > Certificates > Import > Certificate

  • Change the RADIUS config in your FortiGate to use it as client certificate

  • If it is enabled, please disable the "server-identity-check" in your FortiGate RADIUS configuration.

Link to FortiGate's documentation for the RadSec configuration:

Last updated