10-07-2014 09:58 AM
I am trying to come up with a better solution than we currently have in place.
For non-windows we currently have 2 networks, an unsecure one with captive-portal for internet access and a secure one using RADIUS. The unsecure one is wildly unpopular because apps and email will not work through it without intermittantly reauthenticating at the portal. So everyone is using the RADIUS secured one for the iphones/ipads/etc.
We have an external Fortigate firewall with rules that are based on Active Directory groups. The wireless windows machines work great, they authenticate against the RADIUS server as a "domain computer," are granted access, then the user logs in to the domain and the Fortigate (ussing FSSO) recognizes the login and grants the appropriate access through the firewall.
The problem with ipads/iphones/etc. is that they are not authenticating except for the initial RADIUS one to obtain access through the Aruba. When they get to the Fortigate, it has no way of knowing if this is staff or student.
Checking this Airheads Link indicated that a possible solution might be to push out a standard id/pw to the ipads, so they can use the secured network. But everyone has a domain id/password so I don't think that really helps in this case.
I thought another solution might be to use the Aruba to move students and staff onto different subnets
Neither solution grants the granularity or audit-trail that we need. I need to know what account tried to access an inappropriate website. I need to prevent students from accessing sites that staff are allowed to get to.
There must be a best practice for this kind of thing. How are you guys handling it?
Solved! Go to Solution.
10-07-2014 10:20 AM
I haven't ever done it with Fortigate before, but I believe they support using RADIUS accounting to send accounting packets to the fortigate and pass the username. You might put in a ticket with Fortigate and see how to set this up on their side to accept them and then you can simply add it as a radius accounting server under your AAA profile (Configuration -> Security -> Authentication -> AAA Profiles)
10-07-2014 10:27 AM
Take a look here: