How-To: Enable RADIUS with Entra ID Authentication in Fortinet

RADIUS is a protocol that provides Authentication, Authorization, and Accounting (AAA) for networks. This guide will walk you through the steps to enable RADIUS in Fortinet devices.

Fortinet provides documentation on how to set up RADIUS on their website, which you can refer to for additional CLI commands and configuration options. This guide provides a basic overview of the steps involved in setting up RADIUS authentication with Fortinet devices.

Prerequisites for Setting Up RADIUS Authentication With Fortinet

  1. You have registered the Keytos Entra ID applications in your tenant
  2. You have an active EZRADIUS plan
  3. You are an Owner or Network Administrator on your plan
  4. You have created a Cloud RADIUS Network Policy with your public IP address registered

Introduction - How RADIUS Authentication Works in Fortigate FortiOS and EZRADIUS

For your Fortinet network to authenticate users with Entra ID, you need to enable RADIUS authentication and connect it to a RADIUS service that supports Entra ID. This guide will show you how to enable RADIUS authentication in WPA-Enterprise with Fortinet and EZRADIUS.

How RADIUS Authentication Works with Ubiquiti Unifi and EZRADIUS

What are the Different Types of Entra ID Authentication for Network?

When using Entra ID for network authentication, you can choose between two types of authentication: EAP-TLS (Certificate Based Authentication), and EAP-TTLS (Password Based Authentication). EAP-TLS is the most secure and convenient method of authentication, as it uses certificates to authenticate users meaning that the user does not have to enter their password or do anything. If you are using an MDM, you can use it to distribute the certificates to the user and setup automatic wifi authentication. EAP-TTLS is a password-based authentication method that allows your users to authenticate with their Entra ID username and password (Note: You might have to do some changes to enable EAP-TTLS with Entra ID).

How to Enable RADIUS Authentication in WPA-Enterprise In Your Fortinet Network - Step by Step

  1. Begin in your Fortinet admin console.

  2. In the left-hand menu, expand User & Device and select RADIUS Servers.

    Fortinet Dashboard with RADIUS Servers selected

  3. Click the + Create New button to add a new RADIUS server.

    Fortinet RADIUS Servers page with Create New button highlighted

  4. In the first section, enter the following details:

    • Name: Enter a name for the RADIUS server (e.g., “EZRADIUS”)."
    • Authentication method: Leave as Default.
    • NAS IP: Leave blank. It will automatically use the IP of the RADIUS server below.
    • Include in every user group: Leave unchecked.
    Fortinet RADIUS Server details form

  5. In your EZRADIUS portal, navigate to Policies and copy the IP address of your RADIUS server which is closest to your location.

    EZRADIUS portal showing RADIUS server IP address

  6. Still in EZRADIUS, scroll down to your Policy and copy the Shared Secret for your IP address.

    EZRADIUS portal showing Shared Secret

  7. Back in your Fortinet admin console, enter the following details in the RADIUS server configuration:

    • IP/Name: Paste the RADIUS server IP address you copied from the EZRADIUS portal.
    • Secret: Paste the Shared Secret you copied from the EZRADIUS portal.

  8. Click Test Connectivity to ensure the Fortinet device can communicate with the RADIUS server.

    Fortinet RADIUS Server configuration with Test Connectivity button highlighted

  9. Repeat the previous steps to add and test a Secondary Server using another geography from the EZRADIUS portal for redundancy.

    Fortinet RADIUS Server configuration with Secondary Server details

  10. Click OK to save the RADIUS server configuration.

    Fortinet RADIUS Servers list showing newly added servers

  11. Next, expand WiFi & Switch Controller and select SSIDs.

    Fortinet Dashboard with SSIDs selected

  12. Select your SSID and click Edit.

    Fortinet SSID list with Edit button highlighted

  13. Under Security Mode Settings:

    • Set Security Mode to WPA3-Enterprise Only or WPA2-Enterprise depending on your requirements.
    • For Authentication, select RADIUS Server and choose the RADIUS server you created earlier from the dropdown menu.
    Fortinet SSID Security Settings with RADIUS Server selected

  14. Click OK to save the SSID configuration.

    Fortinet SSID list showing updated SSID

  15. Wait for the Fortinet device to apply the changes. Your Fortinet network should now be configured to use RADIUS authentication with Entra ID via EZRADIUS.

How to Connect Your Devices to the Fortinet Network

Now that you have set up your Fortinet network with RADIUS authentication, you can connect your devices to your network using Entra ID by either using EAP-TLS (certificates) or EAP-TTLS (Entra Username/Password).

How to Connect Devices to Fortinet Network with Entra ID Authentication

If you are using EAP-TLS certificates, you can use an MDM to distribute the certificates to your devices via SCEP.

Set up MDM to distribute certificates and WiFi profiles →

If you are using EAP-TTLS with passwords you may have to setup your device for EAP-TTLS PAP Authentication to be able to test your network using your Entra ID username and password.

How to Connect Devices to Fortinet Network with Certificate Authentication

If you are using EAP-TTLS with passwords you may have to setup your device for EAP-TTLS PAP Authentication to be able to test your network using your Entra ID username and password. You can also use an MDM to push WiFi profiles to your devices.

Set up MDM to distribute WiFi profiles →

Versions Tested

This guide was tested with the following versions of Fortinet FortiOS firmware:

  • ✅ 7.6.4