Description
This article describes how FortiAuthenticator authenticates computers using the computer authentication option in a wired or wireless environment using 802.1X EAP-PEAP without a client certificate.
Scope
FortiAuthenticator, 802.1X, EAP-PEAP.
Solution
In this scenario, FortiAuthenticator will authenticate Computers in a Wired/Wireless environment using 802.1X EAP-PEAP (server certificate only, no client certificate involved). If client certificate authentication is required, follow EAP-TLS configuration (see related article). Supplicant configuration is also necessary as we are dealing with Computer authentication instead of User authentication.
This is not covered in this article, but a quick example of a Windows supplicant is visible below.
Note:
The EAP Server Certificate CA must be trusted by the supplicant as well to avoid any certificate trust-related error.
In doubt, consult the debug logs at https://fac-ip/debug/radius (enable the debug mode temporarily for testing).
The Trusted CA used for issuing the server certificate must be imported in FortiAuthenticator.
Starting the implementation:
- EAP Server Certificate: For this article, Microsoft Certification Authority is used as the CA for the EAP server certificate. Thus, configure the EAP server certificate using Microsoft Certification authority. Follow this related KB article Technical Tip: How to issue EAP certificate with Microsoft for the necessary steps. Import the Trusted CA that issued the Server certificate into FortiAuthenticator as described in the administration guide.
- Configure the FortiAuthenticator integration with LDAP: In this example, the username attribute sAMAccountName is used as the hostname is coming through it.
Note:
The Windows Domain Join is also necessary.
If the Domain Join fails, follow this related KB article: Troubleshooting Tip: FortiAuthenticator error: Failed to join Windows AD network: Domain Name.
- Create a Realm: In FortiAuthenticator, create a realm by specifying the LDAP server created previously as the source. Use this realm in the Radius Policies.
- Create a user group for wired/wireless hosts as needed: In this scenario, a group will be created for computers that are part of the
...objectClass=computer and also add Radius Attributes to place them in the respective VLAN 200.
- Create the Radius Policies: Choose the RADIUS Clients.
Note:
If needed, refine the policy to match only radius requests coming from the wired network, as per the following example. This is not mandatory and it is possible to leave the without any radius criteria in this step.
Select 'PEAP' and 'EAP-MSCHAPv2':
Specify the Realm and filter the group previously created:
Enable Windows AD computer authentication:
Some additional options are available at the end of the Radius policy. In this case, it is possible to have a specific result when the AD computer authentication is successful, another when the User Authentication is successful (if it is enabled in the supplicant), and another when both are successful.
In this example, the supplicant has only computer authentication enabled, and the Radius attributes are associated with the user group previously created:
- Results: The EAP-PEAP login was successful by host/name.domain:
- For debugging and troubleshooting, check the following articles:
- Troubleshooting Tip: How to debug FortiAuthenticator Services
- Troubleshooting Tip: How to work with FortiAuthenticator
Related article:
Technical Tip: FortiAuthenticator 802.1x EAP-TLS with computer authentication
