Skip to main content
The_Nude_Deer
The_Nude_Deer
Explorer II
June 24, 2024
Solved

WiFi using FortiAuthenticator RADIUS with certificates

  • June 24, 2024
  • 3 replies
  • 4811 views

Following this link - https://docs.fortinet.com/document/fortiauthenticator/6.0.0/cookbook/812128/creating-a-local-ca-on-fortiauthenticator

 

I am a little confused, the cookbook suggests you have to create a user certificate? i have over 500 LDAP users, that cant be right can it? it also suggests you create the local users on the FAC? thats a bit pointless, my FAC is connected to AD, so why would I need to create the users again,  Im looking for a solution where the users connected to the business WIFI, using their machine certs, not sure why we need user certs, is it another check or something? thanks

 

Best answer by ebilcari

Yes, it doesn't have to be that difficult :) the cookbook is a bit old. You have to pay attention also to the CRLs in order to prevent logins from hosts with revoked certificates.

3 replies

ebilcari
Staff
ebilcari
Staff
June 26, 2024

Do the machines already have certificates from a private CA?

If the machines have their certificates deployed you can configure the RADIUS policy, Identity source to check against Trusted CA(s) "Accepts all the valid client certificates signed by one of the trusted CAs." as shown here. This option may not be available if you are running an old firmware version.

Emirjon
    The_Nude_Deer
    The_Nude_DeerAuthor
    Explorer II
    June 26, 2024

    (logged me into this forum on the wrong account!)

    The Machines are in AD, they do have a cert from a internal CA yes, I looked this up yesterday with a colleague, I have imported that Root CA to the FAC, which already has a LDAP connection, so, is that it? the machine will present the cert , its trusted by the FAC and so it allows authentication to the SSID? the cookbook makes it a lot more convoluted than this?

      ebilcari
      Staff
      ebilcariAnswer
      Staff
      June 26, 2024

      Yes, it doesn't have to be that difficult :) the cookbook is a bit old. You have to pay attention also to the CRLs in order to prevent logins from hosts with revoked certificates.

      Emirjon
        The_Nude_Deer
        The_Nude_DeerAuthor
        Explorer II
        June 27, 2024

        right! so this is the method I need to use. USER CERT, then checked in LDAP.. so its the 2nd option I need. right? thank you, there just isnt a clear guide for that option! still looking

        The_Nude_Deer
        The_Nude_DeerAuthor
        Explorer II
        October 21, 2024

        Has anyone done this at all? it just isn't even close to working, despite configuring everything from the cook books and discussions here

        Terms & ConditionsAccessibility statement