Multiples SSIDs with Radius FortiAuthenticator + EAP-TLS

Forum|Forum|2 years ago
April 21, 2024
1 reply
2558 views

Hello community!

I have a very complex scenario to implement, but without much information.

The intended scenario is:

Multiple SSIDs for the Wireless network, however, must use WPA2-Enterprise... however, I do not intend for authentication to be done with user and pass, but rather via the EAP-TLS certificate issued by fortiauthenticator, tied to the local user created.

Performing EAP authentication was already successful, however, now I need to isolate the certificates so that only the certificate authorized for a given SSID can access.

In testing, any certificate is capable of logging into the SSID. How to isolate?
I've already tried to create the local group on Fortigate and indicate the remote group on Fortiauthenticator, but without success.

I've already tried applying the radius attributes, indicating the FortiAP SSID for the created user, but it didn't work.

summary: I intend for each ssid to only allow one certificate issued by fortiauthenticator

Is there any way to apply this scenario?

Best answer by ebilcari

You can create separate RADIUS policies and differentiate based on "RADIUS attribute criteria" to select each SSID and than on "Identity source" select only the interested groups:

ebilcariAnswer

Staff

You can create separate RADIUS policies and differentiate based on "RADIUS attribute criteria" to select each SSID and than on "Identity source" select only the interested groups:

Emirjon

tubirubsAuthor

Explorer

Tanks for your tip ebilcari!

I have never worked at this level at authenticator. I thought I couldn't have more than one policy, but I went a different route, but following your tip.

I created several Local CAs for each entity that will use the SSID, so I was able to tie the certificate and indicate the radius attribute indicating the FortiAP SSID.

Below are some screenshots: