Wifi Client certificate enforcement

Will you be using the builtin certificate in the FortGate, or a Radius server ?

We can use either. We have our own certificate already generate and imported into the Fortigate.

>> require a client that connect to wifi AP to have a certificate Do you mean each user should have his or her unique user certificate issued by network admin? If yes, you need set up a RADIUS server and make it support EAP-TLS authentication. Network admin need create Root CA on RADIUS server, and then, based on Root CA, create user certificates for wifi clients one by one . The same CA will be given to all users, and user certificates will be distributed to all users in strict one-to-one mapping manner. When wifi client wants to connect with such WPA Enterprise SSID, he or she must provide both CA and user certificate to authenticate. However, I' m not sure if iPad and iPhone could support EAP-TLS authentication, because iOS is somewhat closed type and user must import certificates at first.

In our scenario, we only have certificate hosted on the Fortigate and would like to have the fortigate check for that certificate before allowing access.

Please be advised that such FGT-side certificate is not intended to check user' s access privilege . Instead, wifi user can utilize the Root CA to verify if the AP is the genuine one, but NOT a fake (e.g. phishing site). Then the " genuine" AP can verify user' s username and password to authenticate user. So far as I know, iPad and iPhone as wifi client will *always* let user accept AP-side certificate when trying to connect with WPA-Enterprise SSID. (In this case, iPad and iPhone are using PEAP authentication and MS-CHAPv2 inner encrypt, by default.) However, different OS and/or 802.1X software may have different behavior. For example, Ubuntu has integrated WPA Enterprise Authentication and the CA verification is *optional* for user' s choice. That is to say, it is user who can decide whether or not trust the AP.

Mike, Thank you so much for your advise and feedback. So there is no way, we can use Fortinet to deny the client connectivity if they are using a difference certificate? Regards, Phuoc Ngo

It' d better be mentioned from user' s viewpoint. If user is using a different certificate (CA) that can NOT verify server-side certificate, wifi client can NOT connect to the Access Point at all. No matter where the server certificate exists -- FGT or RADIUS Server, when only is server certificate involved (that is, no user certificate will be verified by server), user himself or herself can decide to verify server certificate (more secure) or just bypass it (more risky).

Hi, You can e-mail yourself the SSL certificate. Then retrieved it on your iPad/iPhone and open the certificate file. iPad will ask if you want to install it. Check it to install SSL Certificate... Apple have some tools to do this more easy to deploy: See here: http://dombarnes.com/2008/07/howto-install-wifi-certificates-on-your-iphone/ Look for " iPhone Configuration Utility" on internet... Regards, Paulo Raponi

Hi Paulo . That' s helpful. Thanks! Regards, Mike

Thank you Guys, This would greatly help me us out. Regards,