This guide describes how to set up and test your environment so you can use it with Cloud4Wi Passpoint solutions.
Log in to the FortiGate Dashboard
To start the configuration process, log in to the FortiGate Dashboard as admin. For existing environments with additional users, log in as a user with administrative privileges.
The FortiGate Dashboard appears. Your access points are displayed in the Security Fabric section.
Note: There are a number of options you can set. Only the options that require your input are shown. Default values are used for options that don’t need adjustment.
Configure the wireless LAN
To configure the wireless LAN, you create a new SSID for Cloud4Wi, a RADIUS server, and an IPv4 policy.
Create an SSID
- Select Wifi & Switch Controller and then SSID in the menu bar on the left of the Dashboard.
- Click +Create New at the top left and select SSID.
The New SSID page appears.
Define the SSID interface
When you create an SSID, you’re creating a software interface and allowing traffic on that interface. Before creating the SSID, you define the interface for it.
- Enter an Interface Name, such as “Cloud4Wi”.
Alias is optional.
- For Type, select WiFi SSID.
- For Traffic Mode, select the traffic mode that’s appropriate for your network.
Set the IP address
Enter the IP address and network mask for the SSID interface.
Define network access
Select HTTPS, HTTP, and RADIUS Accounting. You can select additional options, such as SSH, as appropriate for your network.
Supply DHCP server information
Enter DHCP information that’s appropriate for your network.
Describe WiFi settings and add a RADIUS authentication server
The RADIUS server information you add here is for the RADIUS authentication server. You’ll add RADIUS accounting server information later when you configure Hotspot 2.0.
- Enter the name of your SSID, such as “Cloud4Wi Secure WiFi”.
- Change Security Mode to WPA3 Enterprise. (WPA Personal is the default.)
- For Authentication, select RADIUS Server.
- Click ⌄ below RADIUS Server.
- Click + to add a RADIUS server.
The New RADIUS Server page appears.
- Enter a Name, such as “Cloud4Wi RADIUS”.
- For the Primary Server, enter the IP address of the Primary RADIUS Server: 52.48.102.108
- For Secret, enter the secret communicated by Cloud4Wi team.
Note: Don’t test connectivity at this point. To successfully test connectivity, you need a complete IPv4 policy to allow traffic on the interface.
- In the Secondary Server section, enter the IP address fo the Secondary RADIUS server 34.252.97.217. For Secret, enter the secret communicated by Cloud4Wi team.
- Click OK at the bottom of the New RADIUS Server page.
You return to the New SSID page.
-
Select the RADIUS server you added.
- Click OK at the bottom of the New SSID page to save your SSID configuration.
Configure an IPv4 Policy
Add an IPv4 allow policy on the FortiGate wireless LAN controller to allow traffic from the SSID to reach the Internet.
- Select Policy & Objects and then IPv4 Policy in the menu bar on the left of the Dashboard.
- Click +Create New at the top left.
The New Policy page appears.
- Enter a Name for this policy, such as “Cloud4wi_policy”.
- For Incoming Interface, enter the name of the SSID interface you created, “Cloud4Wi”.
- For Outgoing Interface, enter the name of the Interface in your network that routes traffic to the Internet.
- For Source, enter the IP address range from which you want to allow incoming traffic. Or select all to allow incoming traffic from any IP address.
- For Destination, select all to send outgoing traffic to any IP address unless you have blacklisted subnets.
- For Schedule, select always.
- For Service, select ALL.
- For Action, select ACCEPT.
- Click OK at the bottom of the page to save your configuration.
Configure Hotspot 2.0
Hotspot 2.0 allows mobile devices to join a WiFi network automatically, including during roaming, when the devices enter the Hotspot 2.0 area.
You configure Hotspot 2.0 using a command line interface (CLI). Access the CLI by launching a terminal session or selecting > _ CLI Console at the top right of the Dashboard.
Configure ANQP Parameters
Access Network Query Protocol (ANQP) provides a range of information, such as IP address type and availability, and roaming partners accessible through a hotspot.
-
Set the ANQP IP address type as appropriate for your network. This example shows a single NATed network.
config wireless-controller hotspot20 anqp-ip-address-type edit "Fortinet_Address_type" set ipv4-address-type single-NATed-private next end -
Configure the ANQP NAI realm and EAP authentication.
In the command below, replace the nai-realm with the Network Domain value shown on the Cloud4Wi Passpoint Setting page (such as "companyname.securewifi.com")config wireless-controller hotspot20 anqp-nai-realm edit "Fortinet_NAI_Realm" config nai-list edit "Fortinet_NAI_List" set nai-realm "companyname.securewifi.com" config eap-method edit 1 set method eap-ttls config auth-param edit 1 set id non-eap-inner-auth set val non-eap-mschapv2 next end next end next end next end
-
Configure the ANQP venue name.
config wireless-controller hotspot20 anqp-venue-name edit "Fortinet_Venue" config value-list edit 1 set value "English" next end next end -
Use the show command to verify the configuration. The output should look similar to this example.
config wireless-controller hotspot20 anqp-ip-address-type show edit "Fortinet_Address_type" set ipv4-address-type single-NATed-private next end
config wireless-controller hotspot20 anqp-nai-realm
show
edit "Fortinet_NAI_Realm"
config nai-list
edit "Fortinet_NAI_List"
set nai-realm "companyname.securewifi.io"
config eap-method
edit 1
set method eap-ttls
config auth-param
edit 1
set id non-eap-inner-auth
set val non-eap-mschapv2
next
end
next
end
next
end
next
end
config wireless-controller hotspot20 anqp-venue-name
show
edit "Fortinet_Venue"
config value-list
edit 1
set value “English”
next
end
next
end
Configure a RADIUS accounting server
-
Configure a RADIUS accounting server.
config accounting-server edit 1 set status enable set server 52.48.102.108 set secret <secret shared by Cloud4Wi> next end -
Use the show command to verify the configuration. The output should look similar to this example. Notice that the secret is encrypted.
config accounting-server show edit 1 set status enable set server 52.48.102.108 set secret ENC z5gPzMA7L1SCl/hJoHeqrLOQSrNCO1o84TOOooHU6pxBEdhM1EGdJ1wshUY0rrVbNuKQzBHWy+09kTw3/JrFdMKAEromDAYxJ2NlGkzv9HT2ti8c9nJ+a6bUpFSzsJRh5pAY/ar9br6XIxZbvJfXpW/EN5eY4kw5Mn8ew0xV/ogejLEy+34oGuBCL38JP4YXuggeDw== next end
Configure the Hotspot 2.0 profile
You attach the ANQP parameters and SSID to the Hotspot 2.0 profile.
-
Attach the ANQP parameters to the Hotspot 2.0 profile.
config wireless-controller hotspot20 hs-profile edit "Hotspot" set domain-name "companyname.securewifi.io" set nai-realm "Fortinet_NAI_Realm" set ip-addr-type "Fortinet_Address_type" next end -
Attach the Hotspot 2.0 profile to the SSID.
config wireless-controller vap edit "Cloud4Wi" set hotspot20-profile "Hotspot" next end -
Use the show command to verify the configuration. The output should look similar to this example.
config wireless-controller vap show edit "Cloud4Wi" set vdom "root" set ssid "Cloud4Wi Secure WiFi" set security wpa3-only-enterprise set auth radius set radius-server "Cloud4Wi RADIUS" set schedule "always" set hotspot20-profile "Hotspot" next end