Skip to main content
achraf_harkati
achraf_harkati
New Member
November 29, 2017
Question

Fortiauthenticator : SCEP Issue

  • November 29, 2017
  • 4 replies
  • 13483 views

Hi All,

 

I'm wondering if Anyone has used FortiAuthenticator to perform BYOD ?

I'm testing FAC 5.1.2 in a lab envirement to authenticate WiFi users using EAP-TLS, the FAC has a CA certificate configured (signed by a Win2016 root CA). And I'm stuck at getting devices self-enrolled to obtain a certificate that they can use for EAP-TLS.

I've enabled Device Self-enrollment using the CA Certificate Template (SCEP request is configured using Wildcard).

At the moment, I'm unable to enroll a client device on the url : https://FAC-IP/cert/scep . I'm getting the following error on the Browser : "operation" parameter is required

 

I've also tried http (enabled http on the Interface) instead of https and keep getting the same error.

 

Has anyone faced the same problem before ?

Has anyone succefully got device self-enrollment working on FAC using SCEP ?

Do FAC provide an onboarding portal similar to other products such as Aruba Clearpass ?

 

Your help will be very much appreciated.

 

Achraf.

 

 

 

 

    4 replies

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    December 1, 2017

    Hi,

     

    "At the moment, I'm unable to enroll a client device on the url : https://FAC-IP/cert/scep . I'm getting the following error on the Browser : "operation" parameter is required"

     

    That's because the URL is not intended to be used for human interaction and manual enrollment.

    It is for SCEP enrollment (SCEP, PKCS packed CSR [Certificate Signing Request], is expected as input), therefore you are getting that error as you haven't sent your GET with appropriate data.

    If you do, for example, new cert generation via CSR and choose SCEP as signing method from FGT, then it will send PKCS encrypted data to FAC via this URL (you have to specify in FGT).

    Then FAC will check CSR against SCER Enrolment Requests rules and process accordingly (auto enroll/wait for admin enrollment/reject basically).

     

    Kind regards,

    Tomas

      achraf_harkati
      achraf_harkatiAuthor
      New Member
      December 1, 2017

      Thanks Tomas for the Clarifications.

      I confirm FGT can make SCEP requests using that url and works fine since a CSR is included with the request.

      My goal is to have this certificate installed on a User laptop and use it for EAP-TLS authentication. When I create a user certificate and install it manually on a user laptop everthing (EAP-TLS auth) works fine as well.

      Now do FAC provide a protal that I can use to have users go to and make a certificate request that they can use for EAP-TLS ?

      If yes, do you have the URL ?

      If not, what is the purpose of the claimed "Device Self-Registration" ? All Fortinet documentation outlines the steps to configure "Device Self-Registration" but does not go further and explain how we can take advantage of this feature from a user perspective? Note that the FAC documentation explains very well the  Guest "User Self-Registration" steps.

      Bottomline, can we do BYOD Device Onborading like othe vendors do ?

       

      Thanks again for your help.

      Regards.

       

      Achraf.

       

       

      tedauction
      tedauction
      New Member
      June 18, 2019

      I am also looking for an answer on this.

      Specifically has anyone got FAC SCEP working with Google MDM ?

        vraev
        Staff
        vraev
        Staff
        April 19, 2023

        Hi all,
        There is an article about this topic:
        https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Enabling-the-self-service-portal-for-certificate/ta-p/195085

          80211WiGuy
          80211WiGuy
          Explorer III
          March 14, 2024

          Hi VR,

          We're trying to get this working with our MDM solution which supports real CSR/SCEP requests - you can even test this by creating individual templates with Apple Configurator to build .mobileconfig files for testing before trying automate it with MDM.

           

          The self-service portal introduces a vulnerability where once the user downloads the profile, they're free to install that profile on any device they wish.  We want full control over the certificate deployment which is why we're trying to implement this with SCEP.

           

          Are there any guides on how to do this solely on FAC?  All I seem to find are guides referencing Azure or Google.

          vraev
          Staff
          vraev
          Staff
          March 14, 2024

          Hi @80211WiGuy ,

           

          Maybe this article will help you:

          https://community.fortinet.com/t5/FortiManager/Technical-Tip-Certificate-Template-with-SCEP-enrollment-using/ta-p/254800

          Best,

            rubh3n
            rubh3n
            New Member
            March 4, 2025

            We are also looking at FAC to provide a portal that we can use so that BYOD users can access to request a certificate that they can use for IPsec VPN.

             

            Has the "Device Self-Registration" feature has been updated since 2017?

            Terms & ConditionsAccessibility statement