Skip to main content
tommygunn
tommygunn
New Member
February 17, 2016
Question

FortiAuthenticator Windows 7 certificates

  • February 17, 2016
  • 1 reply
  • 6199 views

I have been banging my head against a wall for days now with this problem.  I am doing testing with a view to a roll out, the problem i have is that I want wireless users to authenticate to FAC then to AD.  I have a Fortigate linked to FAP, this is then linked to the FAC using radius, which in turn interrogates AD using LDAP.  Now Phones and MAC's and other devices can authenticate using AD credentials.  Now the problem is that the majority of PC's are Windows 7 devices, which will not authenticate.  As far as I can see there is a certificate issue, i have tried importing FAC certificates to the windows machines but with no resolution. 

I have been running round in circles trying to resolve this,  Please can some shed any light on this, is this a common problem ? 

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    February 17, 2016

    Hello tommygunn,

     

    I guess that your issue might be caused by issue in W7 inable to use WPA2.

    It need to be manually reconfigured.

    See http://docs.fortinet.com/uploaded/files/1045/fortigate-wireless-40-mr3.pdf especially from page 56 "Windows 7 client"

     

    Best regards, Tomas

    tommygunn
    tommygunnAuthor
    New Member
    February 17, 2016

    Hi Tomas,

     

    Thanks for the reply I do appreciate it, I wish it was that easy.   During the sign on process with Windows devices I get a pop up with a choice of two internal certificates.  Both of which don't work.  On other non windows devices you just need to accept the certificate pushed down from fortigate,  which you accept and connect no problem.  But for some reason windows doesn't give you the pop up and then looks internally for a certificate.   Driving me insane at the moment.  Not sure of its something i have done or some kind of windows certificate issue. 

     

    Thanks

    Thomas

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    February 17, 2016

    What about to creat local CA on FAC (it's one of designed purposes), use that CA Cert to create WPA (EAP-TLS/PEAP etc) cert + config on FAC + use the same CA to make client/user cert => export that from FAC and import to test workstation Cert store on Windows. Also import there (on workstation) FAC CA cert into trusted root CA certs. Similarly to SSL VPN cert based auth scenario.

    Then retest if that user cert is one of the proposed for the user during WiFi bind.

    Terms & ConditionsAccessibility statement