Sx11
Staff
Staff
Description

 

In this scenario FortiAuthenticator will authenticate Computers in a Wired/Wireless environment using 802.1x EAP-TLS.

For this scenario the Certificates will be issued by Microsoft Certification Authority.

Supplicant configuration is also needed for this scenario but it is out of the scope of this article.

 

Scope

 

FortiAuthenticator

802.1X

EAP-TLS

 

Solution

 

This configuration requires an understanding of the EAP method used for this case (EAP-TLS)

Explanation and comparison between different methods is provided here:

https://docs.fortinet.com/document/fortiauthenticator/6.0.7/administration-guide/125951/extensible-a...

 

In EAP-TLS we have mutual authentication between Server and Clients which means all Computers in the Windows AD environment will be issued a Computer certificate and the Server (FortiAuthenticator) will have a Server certificate.

The Trusted CA used for issuing the Client and Server certificates must be imported in FortiAuthenticator.

 

Starting the implementation:

 

1) Configure the EAP server certificate using Microsoft Certification authority.

For this step follow this article:

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-How-to-issue-EAP-certificate-with...

 

Import the Trusted CA that issued the Server and Computer certificates into FortiAuthenticator as decribed here:

https://docs.fortinet.com/document/fortiauthenticator/6.4.3/administration-guide/22658/trusted-cas

 

2) Configure FortiAuthenticator integration with LDAP.

 

- LDAP server:

It is important to set as username attribute: dNSHostName.

 

Sx11_1-1652957794109.png

 

In Computers, OU this attribute, it is possible to check the values it will match for each Computer object as below:

I have a host named pc2 which is domain joined with dNSHostName = pc2.forti.lab.

This attribute will be used by FortiAuthenticator to import the object in its user database.

 

Sx11_2-1652957931991.png

 

- Windows Domain Join:

 

Sx11_6-1652958756018.png

 

In case of failure check this article to resolve:

 https://community.fortinet.com/t5/FortiAuthenticator/Troubleshooting-Tip-FortiAuthenticator-error-Fa...

 

3) In FortiAuthenticator,  create a realm named 'host' by specifying as source the LDAP server created.

Use this realm in the Radius Policies.

 

Sx11_5-1652958649165.png

 

4) Create User group for Wired/Wireless Hosts as needed.

 

In this scenario we will create a group for all PCs that are part of VLAN 50 and connecting wired.

 

Sx11_0-1652959202756.png

 

Add Radius Attributes for this group in order to match VLAN 50.

 

Sx11_1-1652959318990.png

 

4)Create a Remote synchronization rule.

 

The Remote synch rule will be used to auto-populate the  'Wired_hosts_Vlan50' group with Host information specified in our LDAP filter.

In this example i have included a filter to match all Wired Computers in the 'finance' group in AD.

 

In order to configure a proper filter for the environment check this article:

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-LDAP-filter-syntax-for-groups-and...

 

- Specify the base DN and LDAP filter:

 

Sx11_2-1652959574048.png

 

- Select the group where the hosts will be included:

 

Sx11_3-1652959582264.png

 

Important.

In the 'Certificate binding CA' field, select the Trusted CA that was imported from 1) and include it with '+' in the remote synch rule.

This is important in order for FortiAuthenticator to retrieve computer certificate information during the synchronization process.

 

- Verify LDAP attributes and make sure username = dNSHostName.

 

Sx11_4-1652959686005.png

 

5) Create the Radius Policies.

 

- Choose the RADIUS Clients.

 

Sx11_5-1652959966415.png

 

- No radius attribute criteria.

 

Sx11_6-1652960001181.png

 

- Select Authentication type 'EAP-TLS'.

 

Sx11_7-1652960006627.png

 

- Specify the 'host' realm created previously as Identity Source and filter the group.

 

Sx11_8-1652960073102.png

 

- Authentication factors if needed in the environment.

 

Sx11_9-1652960163147.png

 

For debugging and troubleshooting, check the articles below:

 

https://community.fortinet.com/t5/FortiAuthenticator/Troubleshooting-Tip-How-to-debug-FortiAuthentic...

 

https://community.fortinet.com/t5/FortiAuthenticator/Troubleshooting-Tip-How-to-work-with-FortiAuthe...

 

Related Fortinet documentation:

https://docs.fortinet.com/document/fortiauthenticator/5.5.0/cookbook/551938/wired-802-1x-eap-tls-wit...

Contributors