Skip to main content
fireon
fireon
New Member
August 4, 2023
Solved

Difference between WLAN auth methods

  • August 4, 2023
  • 3 replies
  • 3356 views

Hello all, 

 

i'am using here a Fortigate 60E with some Fortiaps 433F. The Fortgate is linked with LDAP and Radiusserver. WLAN Entperprise WPA2 and WPA3 works with this auth methods: 

 

  • TTLS + PAP
  • TTLS + GTC
  • PEAP + GTC

 

I have tried to find reasonable info's as to what the difference is, but have not found it. So my question is: "What is the difference between the methods, what should I use?".

 

Thanks a lot

Best Regards :)

Best answer by ebilcari

Basically yes, RADIUS server is always recommended, FortiAuthenticator for example can offers a scalable solution. You can aim for the most secure one EAP-TLS (user certificate based).

Anyway even if you are using EAP-TTLS/PAP (that is passing the traffic in clear text in inner tunnel) this is still secure because the information is exchanged via the EAP tunnel that encrypts the traffic with TLS. You have to configure manually the supplicant on end devices and be careful to select only the trusted domain and CA to avoid any "honey pot" scenario.

TTLS.PNG

3 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
August 7, 2023

Hello fireon, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
ebilcari
Staff
ebilcari
Staff
August 7, 2023

The authentication methods you mentioned are used as part of EAP protocol that is an open standard protocol. Some information can be found here: https://docs.fortinet.com/document/fortiauthenticator/6.5.2/administration-guide/125951/extensible-authentication-protocol

There are three participants in this communication: Supplicant (end host) <-> Authenticator (FGT) <-> Auth. Server (RADIUS server). 

The role of the authenticator (FGT/FAP) is just to translate the requests from EAPoL to RADIUS without worrying too much about the method used. Most of the related configurations are done in the Supplicant and the RADIUS server.

dot2x.PNG

The methods have pros and cons, PEAP/MSCHAPv2 is more popular in windows hosts and EAP-TLS is the most secure, some of them are deprecated.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Limitations-when-using-WPA2-Enterprise-WiFi-with/ta-p/240585

Emirjon
    fireon
    fireonAuthor
    New Member
    August 11, 2023

    I understand, and thanks for the link. So of course it is also client dependent what this understands. Thought it always had also still effect how well and how fast a device can log on.

     

    In principle, if I understand correctly, logging in directly via Fortigate is not the best idea, since everything has to be transmitted in plain text. But that also means it doesn't matter which of my 3 methods I use. Right?

    ebilcari
    Staff
    ebilcariAnswer
    Staff
    September 4, 2023

    Basically yes, RADIUS server is always recommended, FortiAuthenticator for example can offers a scalable solution. You can aim for the most secure one EAP-TLS (user certificate based).

    Anyway even if you are using EAP-TTLS/PAP (that is passing the traffic in clear text in inner tunnel) this is still secure because the information is exchanged via the EAP tunnel that encrypts the traffic with TLS. You have to configure manually the supplicant on end devices and be careful to select only the trusted domain and CA to avoid any "honey pot" scenario.

    TTLS.PNG

    Emirjon
      fireon
      fireonAuthor
      New Member
      January 20, 2024

      Change to Radius an it works perfectly.

        ebilcari
        Staff
        ebilcari
        Staff
        January 22, 2024

        I'm glad to hear that, thank you for your feedback.

        Emirjon
          Terms & ConditionsAccessibility statement