FortiNet
To use the RadSec feature on your FortiGate and FortiAPs, firmware FortiOS 7.4.0 or later is required.
Prepare Certificates
Download the root certificate of the CA that has issued your RADIUS server certificate as described here
Create a client certificate for your Access Points. If you are using SCEPman Certificate Master, the process is described here
Add the root certificate of the CA that has issued the client certificate on your Access Point to your RADIUS instance under Server Settings > RadSec connection certificates as described here
FortiGate configuration
To configure RadSec on your FortiGate AP please follow the steps below:
Create new RADIUSServer and add your RadSec server ip address and secret, the fixed shared secret is "radsec"
Import the root certificate of your RaaS to FortiGate Certificates System > Certificates > Import > CA Certificate
The imported RootCA will be listed under Remote CA Certificate
Import the client certificate to your FortiGate (FortiOS 7.4.0 supports PKCS#12 certificates) System > Certificates > Import > Certificate
Change the RADIUS config in your FortiGate to use it as client certificate
If it is enabled, please disable the "server-identity-check" in your FortiGate RADIUS configuration.
Links
Link to FortiGate's documentation for the RadSec configuration: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/729374/configuring-a-radsec-client-new
Last updated