Skip to main content
mdeparisse_FTNT
Staff
mdeparisse_FTNT
Staff
January 4, 2017

Technical Note: EAP TLS wireless LAN deployment on Android using FortiGate and Windows server 2008

  • January 4, 2017
  • 0 replies
  • 12878 views
Purpose
This document discusses the Extensible Authentication Protocol Transport Layer Security (EAP-TLS) authentication protocol deployment in wireless networks.  It introduces the EAP-TLS architecture and discusses deployment steps.

Scope
Authenticated wireless access design based on Extensible Authentication Protocol – Transport Level Security (EAP-TLS) can use either smart cards or user and computer certificates to authenticate wireless access clients.  EAP-TLS provides stronger security than secure password authentication that is based on user credentials (user name and password) to authenticate wireless access clients.

Diagram
mdeparisse_FD40058_tn_FD40058-1.jpg

Expectations, Requirements
Ability to achieve a secure reliable and convenient environment for the end user as they do not need to enter any username or password.

Configuration


  • Server side configuration

Configure the radius client on the server:


mdeparisse_FD40058_configured_fortigate_radius_client.png

Connection request Policy “Overview”:


mdeparisse_FD40058_connection request policy.png

Configure the connection request Policy conditions:


mdeparisse_FD40058_connection request policies condition.png


Configure the connection request Policy Settings

mdeparisse_FD40058_authentication on this server.png


Network policies Overview:


mdeparisse_FD40058_Network Policies.png


Configure the connection Networks Policy Conditions


mdeparisse_FD40058_Network Policies Condition.png


Configure the Networks Policy Constraints

mdeparisse_FD40058_Constraints Network Policy.png


Configure the Networks Policy settings:


mdeparisse_FD40058_Network Policy Settings1.png


Configure the Networks Policy VSA (vendor ID 12356)

mdeparisse_FD40058_radius network policy VSA.png



  • FortiGate :

Configure the radius server on the FortiGate

mdeparisse_FD40058_fortigate_radius_srv.png

Test the connection (be aware that you are testing radius connectivity and not the user authentication so you can type anything)

mdeparisse_FD40058_fortigate_radius_test_connectivity.png

mdeparisse_FD40058_succesful_fortigate_to_srv_radius_connection.png


As you can see you may have a success but in the event log of the server you can also see an authentication failure which will also result on a success window on FortiGate as this is only radius connectivity validation

mdeparisse_FD40058_example of autehntication failure.png


Configure Wireless SSID (one ”secure_cert_srv_access” wpa2_psk or wpa_PEAP ent for secure access to the certificate server and one “EAP TLS” secure access)


mdeparisse_FD40058_wifi_secure_access_to_cert_srv.png


mdeparisse_FD40058_EAP_TLS_SSID.png


mdeparisse_FD40058_propagate_wireless_lan_srv.png


Allow the connection from wireless to the remote cert server using the FortiGate Policies:

mdeparisse_FD40058_wpa2_allowed_policy.png


Create the EAP-TLS Policy. Here you can also use as a source the eaptls group that is sent by the server through the VSA.


mdeparisse_FD40058_eap_tls_allowed_policy.png



Connect the client to the “secure_cert_srv_access” SSID


mdeparisse_FD40058_client_secure_wpa2_connection.png

Connect to your certificate authority using the username credential and use the following process for User cert and ROOT CA download and install.

http://<ip of the cert srv>/certsrv

http://10.5.57.106/certsrv in the this example

mdeparisse_FD40058_login to cert srv.png


mdeparisse_FD40058_user cert request.png


mdeparisse_FD40058_user cert link.png


mdeparisse_FD40058_size of the cert choice page.png


mdeparisse_FD40058_insatll.png


mdeparisse_FD40058_type of cert.png


mdeparisse_FD40058_eap_tls.png



mdeparisse_FD40058_eap_tls2.png



  •  On the FortiGate you will see the user logged in

     Wireless Client Monitor

mdeparisse_FD40058_wireless_user.png




Alternative way of cert deployment

 

In some cases the import of the user certificate might not work properly

If not, it is advised to generate the certificate on a PC and export it to the smartphone

First open Firefox browser (advices one for the external cert repository) 

mdeparisse_FD40058_certgenerate.png


Click to select user certificate

mdeparisse_FD40058_user_type_cert.png

Select the Grade of the certificate.


mdeparisse_FD40058_certificate grade.png


Personal certificate installation confirmation


mdeparisse_FD40058_certificate install succesful.png


Go inside the cert repository and export the newly installed certificate

mdeparisse_FD40058_export of the certificate.png


Export password

mdeparisse_FD40058_password of the cert export.png


Inject the certificate in the SD of the smartphone

mdeparisse_FD40058_copy to the smarpthone SD.png


Select the file manager app in your smartphone


mdeparisse_FD40058_myfile.png


mdeparisse_FD40058_click to import in the local smartphone rep.png

certificate install success



mdeparisse_FD40058_wifi installed.png


Select the name of the certificate and the usage

mdeparisse_FD40058_wifi cert import in smartphone.png







Verification
A successful connection verification can be seen using the CLI:
# diagnose wireless-controller wlac -d sta
vf=0 wtp=2 rId=2 wlan=EAP_TLS vlan_id=0 ip=2.3.4.7 mac=x:y:z:a:b:c:d vci= host=iPhone user=wifi@bond.wifilab.net group=eaptlsgrp signal=-48 noise=-95 idle=18 bw=0 use=4 chan=60 radio_type=11AC security=wpa2_only_enterprise encrypt=aes cp_authed=no online=yes mimo=2

Troubleshooting
If there are issues they are most likely to be on the server side.

The starting point may be to reinstall the Network policies as well as the Connection request policies.  The following article from Microsoft may be of help https://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx

Terms & ConditionsAccessibility statement