Skip to main content

Search

Cloudi-Fi Knowledge Base

How to handle IoT Devices using a Dedicated SSID in Fortigate Firewall with MAC Based Authentication

Alexandre de THOMASSON
  • Updated

This guide provides a comprehensive overview of how to configure and manage Internet of Things (IoT) devices using Fortigate Firewall with MAC-based authentication through the Cloudi-Fi platform through a dedicated SSID for IOT. By following the steps outlined in this document, network administrators can ensure secure and efficient connectivity for IoT devices within their network.

 

Prerequisites

Before starting, ensure you have the following prerequisites:

  • Access to Cloudi-Fi's admin console
  • Cloudi-Fi Radius IPs and Secret
  • Access to the FortiGate
  • Knowledge of your network’s IP addressing scheme
Validated with FortiOS 6.2.5 build 1142 & v7.4.1 build 2463

 

1. Get Radius information

You will need the Radius information (Server IPs, Secret, Ports) to proceed with the setup.

  1. IPs address of the Radius servers
  2. Ports: UDP 1812 (Authentication) & 1813 (Accounting)
  3. The Secret (provided by Cloudi-Fi Support)

You can get the Secret by asking Chatbot in the Cloudi-Fi Admin Console. Cloudi-Fi’s Support team will provide you with the necessary information.
 

2. Create your IOT Security Profile(s)

The Security Profile defines the user-group that Cloudi-Fi will share with Fortigate FW during the Radius authentication of the IOT device (in the Access-Accept reply). 

The shared User Group will follow the format: cloudifi-SecurityProfileName. For example, a security profile named "Whitelist" will result in a user group shared with Fortigate in the format: cloudifi-Whitelist.

Security Profiles are particularly useful for creating Fortigate policies tailored to the different IoT profiles present on your network. For example, you could create a Security Profile dedicated to printers, and on the Fortigate side, allow access only to specific ports or destinations for that profile.

Go to your Cloudi-Fi Admin Console and navigate to Network > Security Profiles and select "Add profile"

  • Name ( e.g. Whitelist)

  • Location (e.g. All)

  • Description

  • Type : Whitelist

 

By default, for an unknwon IOT (i.e. never connected to Cloudi-Fi solution and not added in Whitelist), Cloudi-Fi Radius will return to Fortigate an Access-Reject.
 

3. Create the Cloudi-Fi Radius server

Go to Fortigate administration page > User & Authentication > RADIUS Servers > Create New

  • Name: Cloudi-Fi_Radius_Srv
  • Authentication Method: Default
  • IP/Name: Click here to obtain the IP
  • Secret: Provided by the Cloudi-Fi Support team
  • Click on the “OK"

Fortigate UI - captive portal - radius configuration.png

Then go to Fortigate administration page > User & Authentication > User Groups > Create New

  • Name (e.g cloudifi-Whitelist)
  • Type: Firewall
  • Remote Groups: Add Cloudi-Fi_Radius_Srv
  • Group Name (e.g cloudifi-Whitelist)

A User Group is created to map the RADIUS server as a source of authenticated users. User groups act as a bridge between the authentication mechanism and the firewall rules. By linking the RADIUS server to a user group, you can define what authenticated users are allowed to do post-authentication.

fortinet-cloudi-fi-user-group-whitelist.png

 

Then retrieve the location hash key, which will be used as the NAS ID. In the Admin UI, go to Location, select the desired location, and copy the hash key under Identifier.

 

Then, in the FortiGate interface, navigate to FortiGate Administration > User & Authentication > RADIUS Servers and edit your Cloudi-Fi RADIUS server via CLI. Execute the following command:

set nas-id-type custom
set nas-id "hash-key_previously_copied"

 

 

4. Fortigate interface configuration

Go to Networks > Interface and edit the VLAN interface where you want to enable MAC Based Authentication.

  • DHCP Server : define your DHCP parameters

  • Device Detection : enabled

  • Security mode : captive portal

  • User access : Restricted to Group

  • User Group (e.g. cloudifi-Whitelist , see 3. Create the Cloudi-Fi Radius server)

 

Then edit the interface in CLI and execute this enable mac based authentication for this interface.

set security-mac-auth-bypass enable
end

With this enabled, when client attempts a connection, FortiGate will generate a RADIUS authentication request  using the endpoint's MAC address as the username to the Cloudi-Fi (set up as radius server).

 

5. Configure the security policy

To finalize the configuration, you must create security rules to allow an unauthenticated user to access the captive portal.

Go to Fortigate administration page > Policy & Objects > Firewall Policy and create the below rules in the same order:

  1. Name: Whitelist
  2. Incoming interface: your VLAN interface
  3. Source: your VLAN address
  4. User/group (e.g. cloudifi-Whitelist)
  5. Destination: Define and allow the necessary destination IPs for devices configured with the Whitelist security profile in Cloudi-Fi. - see 2. Create your IOT Security Profile(s))
  6. Service: Define and allow the necessary service(s) for devices configured with the Whitelist security profile in Cloudi-Fi.- see 2. Create your IOT Security Profile(s))
  7. NAT: Optional, depending on your configuration.

 

6. Add and Register IoT Devices in Cloudi-Fi

Go to your Cloudi-Fi Admin Console and navigate to Network > Devices.

Then, click Add Device and enter the following:

In Network

  • Device Name (e.g., SmartPrinter-001)
  • MAC Address of the device
  • Security Profile (e.g. Whitelist)

In Identification

  • Device type
  • Linked user

For an IoT device, if you assign both a Security Profile and a linked user, the profile of the linked user will be the one shared in the Access-Accept response.

For example, if you configure an IoT device with 

  • Security profiles : "Whitelist"

  • Linked user : John Doe as linked user who has the visitor-profile called "Partner"

In this case, the visitor profile takes priority, and cloudifi-Partner user-group will be shared for the IoT device in the ACCESS-ACCEPT-RADIUS response. As a result, when the IoT device attempts to connect, it will be matched to the cloudifi-Partner group and not cloudifi-Printers.

 

Once added

  • The device is automatically whitelisted.
  • It can connect to the SSID without a captive portal.
  • The session and validity will inherit from the default session duration defined in Admin Console > Policies > Privileges.

 

Additional Notes

  • Any device that attempts to connect to the SSID will be available on the Cloudi-Fi platform.
  • You can view unassigned devices and manually assign them to a user to apply relevant policies.
  • Different scenarios may occur regarding the shared profile during RADIUS authentication.
    • Scenario 1 : A user connects with a device through the captive portal. A session is then initiated on Cloudi-Fi, and the guest profile is assigned to this device (e.g. cloudifi-Guest). If, while this guest session is still active, you whitelist the device in Cloudi-Fi > Network > Device by assigning it a security profile, and then attempt to reconnect the device to the network (after having terminated its session on the Fortinet side), Cloudi-Fi will still share the attribute cloudifi-GuestProfileName (e.g. cloudifi-Guest), because the guest session is still considered active.
    • Scenario 2 : If no guest session is currently active, and you add a device in Cloudi-Fi > Network > Device with the Security Profile Whitelist, then reconnect it to the network, Cloudi-Fi will directly share the Security Profile attribute: cloudifi-SecurityProfileName (e.g. cloudifi-Whitelist).
    • Scenario 3 : If no guest session is active, and you add a device in Cloudi-Fi > Network > Device with the Security Profile Whitelist and specify a Linked User, Cloudi-Fi will share, for the RADIUS authentication of that device, the guest profile attribute: cloudifi-GuestProfileName (e.g. cloudifi-Guest).