FortiAuthenticator 802.1X with already issued certificates

Question

Hello,Our customer would like to use FortiAuthenticator for 802.1X computer authentication. They have a certificate authority and certificates are issued to the client workstations. 802.1X is not implemeted yet.The customer has FortiAuthenticator for SSLVPN mobile token authentication.Now, we want to use the FortiAuthenticator 802.1X EAP-TLS feature for the computer authentication. Is it possible to use it for this? Or the FortiAuthenticator has to be the issuer of the certificates?In the documentation I can see the following: For successful EAP-TLS authentication, the user’s certificate must be bound to their account in Authentication > User Management > Local Users (see Local users) and.... Does it mean that if there is existing CA in the network the issued user certificates has to be imported into the FortiAuthenticator?I think it is nonsense as the Issuer, validity and CRLs etc. are checked to verify the conputer...no client certificate is needed to verify the client certifiate.

abelio · Answer

Hello AttilaAtiT wrote: Now, we want to use the FortiAuthenticator 802.1X EAP-TLS feature for the computer authentication.Is it possible to use it for this?Yes; indeed, FAC has all you need to deploy EAP-TLS: it can be a CA, a RADIUS server , SCEP server, self-enrollment, etc  Or the FortiAuthenticator has to be the issuer of the certificates? Not necessarily, but it helps a lot in the daily administration. In the documentation I can see the following: For successful EAP-TLS authentication, the user’s certificate must be bound to their account in Authentication > User Management > Local Users (see Local users) and.... Does it mean that if there is existing CA in the network the issued user certificates has to be imported into the FortiAuthenticator?I think it is nonsense as the Issuer, validity and CRLs etc. are checked to verify the conputer...no client certificate is needed to verify the client certifiate.  If you or your customer already have his own pki or a CA for generation of certificates, you can import that into the FAC as trusted CA (Certificate Authorities > Trusted CAs > Import); with that CA you could sign an intermediate CA. FAC will be that intermediate local CA (Certificate Authorities > Local CAs > Create New) Certificates for client and server are required for EAP-TLS , so you can accomplish the required  binding user<->certificate after creating a local server certificate (Certificate Management > End Entities > Local Services >Create New)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded