How to configure 802.1X authentication on Fortinet access points using Cloudi-Fi as the RADIUS provider.
Prerequisites
Before starting, ensure that you have the following prerequisites:
- A Forti access point.
- Cloudi-Fi Radius IPs and Secret
- Access to the Fortinet dashboard.
- Knowledge of your network’s IP addressing scheme.
- Access to your firewall to allow several ports:
| Source | Destination | Port | Protocol | Action | Comment |
| 802.1x subnet | Cloudi-Fi IPs | 1815 | UDP | Allow | RADIUS traffic |
| 802.1x subnet | Any | 80 | TCP | Allow | HTTP traffic |
| 802.1x subnet | Any | 443 | TCP | Allow | HTTPS traffic |
| 802.1x subnet | Any | 53 | UDP/TCP | Allow | DNS resolution |
| * | * | * | * | Deny | To be adjusted according to your needs |
1. Get Radius information
You will need the Radius information (Server IPs, Secret, Ports) to proceed with the setup.
| Parameter | Description |
| RADIUS IPs | Provided by Cloudi-Fi |
| Ports | UDP 1815 (Authentication) and 1813 (Accounting) |
| Shared Secret | Obtain via the Cloudi-Fi chatbot or Support team |
You can get the Secret by asking in the Chatbot. Cloudi-Fi’s Support team will provide you with the necessary information.
What shared secret is used for the Radius server for 802.1X for Forti? Please save this confidential information securely, and do not share it publicly.
2. Create the Cloudi-Fi Radius server
Go to Fortigate administration page > User & Authentication > RADIUS Servers > Create New
- Name: e.g. Cloudi-Fi_Radius_1815_group
- Authentication Method: Default
- IP/Name: Click here to obtain the IP
- Secret: Provided by the Cloudi-Fi Support team
- Click on the “OK"
Then edit your Cloudi-Fi RADIUS server via CLI. Execute the following command:
set radius-port 1815
end
Then retrieve the location hash key, which will be used as the NAS ID. In the Admin UI, go to Location, select the desired location, and copy the hash key under Identifier.
Then, in the FortiGate interface, navigate to FortiGate Administration > User & Authentication > RADIUS Servers and edit your Cloudi-Fi RADIUS server via CLI. Execute the following command:
set nas-id-type custom
set nas-id "hash-key_previously_copied"
3. Enable the Captive portal in FortiGate WiFi controller
Go to WiFi & Switch Controller > SSIDs > Create New :
General
- Name: e.g. CORP_SSID
- Traffic mode : Tunnel
DHCP Server
- Set your DHCP configuration
Wifi Settings
-
General
- SSID: e.g. CORP_SSID
- Broadcast SSID : enable
-
Security mode settings
- Security mode settings : WPA3 Enterprise Only
- Authentication : Radius Server (then select the Radius server set in 2. Create the Cloudi-Fi Radius server
-
Client MAC Address Filtering
- RADIUS server : disable
- Address group policy : disable
-
Additional Settings
- Dynamic VLAN assignment : enable
- Schedule : always
- Optional VLAN ID : Set the VLAN used for authenticated 802.1X clients
- Broadcast suppression : enable (ARPs for known clients, DHCP unicast, DHCP uplink)
- Quarantine host : enable
-
Advanced Settings
- 802.11k assisted roaming: enable
- 802.11v assisted roaming: enable
4. Validation
- After completing the configuration:
- Connect a test client to the SSID.
- The client should be prompted for 802.1X credentials.
- Successful authentication should appear in both:
- Fortinet > Dashboard > FortiAP CLients Monitor
- Cloudi-Fi > Users > Authentications
If authentication fails, verify:
- RADIUS IPs and shared secret match on both sides.
- UDP port 1815 is reachable from the access point.
- The Cloudi-Fi RADIUS service is not blocked by your firewall.