Skip to main content

Search

Cloudi-Fi Knowledge Base

How to handle IoT and Guest Devices Using a Single SSID in Fortigate Firewall with MAC Based Authentication

Alexandre de THOMASSON
  • Updated

This guide provides a comprehensive overview of configuring and managing Guest authentication (via captive portal) and IoT authentication (via MAC-based authentication) using Fortigate Firewall and the Cloudi-Fi platform, with one single SSID. By following the steps outlined in this document, network administrators can ensure secure and efficient connectivity for Guest and IoT devices within their network.

 

Prerequisites

Before starting, ensure you have deployed Cloudi-Fi captive portal using the following documentation

How to set up Cloudi-Fi Captive Portal in FortiOS
 

1. Create your IOT Security Profile(s)

The Security Profile defines the user-group that Cloudi-Fi will share with Fortigate FW during the Radius authentication of the IOT device (in the Access-Accept reply). 

The shared User Group will follow the format: cloudifi-SecurityProfileName. For example, a security profile named "Whitelist" will result in a user group shared with Fortigate in the format: cloudifi-Whitelist.

Security Profiles are particularly useful for creating Fortigate policies tailored to the different IoT profiles present on your network. For example, you could create a Security Profile dedicated to printers, and on the Fortigate side, allow access only to specific ports or destinations for that profile.

Go to your Cloudi-Fi Admin Console and navigate to Network > Security Profiles and select "Add profile"

  • Name ( e.g. Whitelist)

  • Location (e.g. All)

  • Description

  • Type : Whitelist

By default, for an unknwon IOT (i.e. never connected to Cloudi-Fi solution and not added in Whitelist), Cloudi-Fi Radius will return to Fortigate an Access-Reject.

 

2. Create the IOT User Group(s)

Go to Fortigate administration page > User & Authentication > User Groups > Create New

  • Name (e.g cloudifi-Whitelist)
  • Type: Firewall
  • Remote Groups: Add Cloudi-Fi_Radius_Srv
  • Group Name (e.g cloudifi-Whitelist)

A User Group is created to map the RADIUS server as a source of authenticated users. User groups act as a bridge between the authentication mechanism and the firewall rules. By linking the RADIUS server to a user group, you can define what authenticated users are allowed to do post-authentication.

fortinet-cloudi-fi-user-group-whitelist.png

 

Then retrieve the location hash key, which will be used as the NAS ID. In the Admin UI, go to Location, select the desired location, and copy the hash key under Identifier.

 

Then, in the FortiGate interface, navigate to FortiGate Administration > User & Authentication > RADIUS Servers and edit your Cloudi-Fi RADIUS server via CLI. Execute the following command:

set nas-id-type custom
set nas-id "hash-key_previously_copied"

 

 

3. Fortigate interface configuration

Go to Networks > Interface and edit the VLAN interface where you already have deployed Cloudi-Fi Captive portal ( see Prerequisites)

Then edit the interface in CLI and execute this enable mac based authentication for this interface.

set security-mac-auth-bypass enable
end

With this enabled, when client attempts a connection, FortiGate will generate a RADIUS authentication request  using the endpoint's MAC address as the username to the Cloudi-Fi (set up as radius server).

 

4. Configure the security policy

To finalize the configuration, you must create security rules to allow an unauthenticated user to access the captive portal.

Go to Fortigate administration page > Policy & Objects > Firewall Policy and create the below rules in the same order:

  1. Name: Whitelist
  2. Incoming interface: your VLAN interface
  3. Source: your VLAN address
  4. User/group (e.g. cloudifi-Whitelist)
  5. Destination: Define and allow the necessary destination IPs for devices configured with the Whitelist security profile in Cloudi-Fi. - see 2. Create your IOT Security Profile(s))
  6. Service: Define and allow the necessary service(s) for devices configured with the Whitelist security profile in Cloudi-Fi.- see 2. Create your IOT Security Profile(s))
  7. NAT: Optional, depending on your configuration.

 

5. Add and Register IoT Devices in Cloudi-Fi

Go to your Cloudi-Fi Admin Console and navigate to Network > Devices.

Then, click Add Device and enter the following:

In Network

  • Device Name (e.g., SmartPrinter-001)
  • MAC Address of the device
  • Security Profile (e.g. Whitelist)

In Identification

  • Device type
  • Linked user

For an IoT device, if you assign both a Security Profile and a linked user, the profile of the linked user will be the one shared in the Access-Accept response.

For example, if you configure an IoT device with 

  • Security profiles : "Whitelist"

  • Linked user : John Doe as linked user who has the visitor-profile called "Partner"

In this case, the visitor profile takes priority, and cloudifi-Partner user-group will be shared for the IoT device in the ACCESS-ACCEPT-RADIUS response. As a result, when the IoT device attempts to connect, it will be matched to the cloudifi-Partner group and not cloudifi-Printers.

 

Once added

  • The device is automatically whitelisted.
  • It can connect to the SSID without a captive portal.
  • The session and validity will inherit from the default session duration defined in Admin Console > Policies > Privileges.

 

Additional Notes

  • Any device that attempts to connect to the SSID will be available on the Cloudi-Fi platform.
  • You can view unassigned devices and manually assign them to a user to apply relevant policies.
  • Different scenarios may occur regarding the shared profile during RADIUS authentication.
    • Scenario 1 : A user connects with a device through the captive portal. A session is then initiated on Cloudi-Fi, and the guest profile is assigned to this device (e.g. cloudifi-Guest). If, while this guest session is still active, you whitelist the device in Cloudi-Fi > Network > Device by assigning it a security profile, and then attempt to reconnect the device to the network (after having terminated its session on the Fortinet side), Cloudi-Fi will still share the attribute cloudifi-GuestProfileName (e.g. cloudifi-Guest), because the guest session is still considered active.
    • Scenario 2 : If no guest session is currently active, and you add a device in Cloudi-Fi > Network > Device with the Security Profile Whitelist, then reconnect it to the network, Cloudi-Fi will directly share the Security Profile attribute: cloudifi-SecurityProfileName (e.g. cloudifi-Whitelist).
    • Scenario 3 : If no guest session is active, and you add a device in Cloudi-Fi > Network > Device with the Security Profile Whitelist and specify a Linked User, Cloudi-Fi will share, for the RADIUS authentication of that device, the guest profile attribute: cloudifi-GuestProfileName (e.g. cloudifi-Guest).