Description
In this scenario FortiAuthenticator will authenticate Computers in a Wired/Wireless environment using 802.1x EAP-TLS.
For this scenario the Certificates will be issued by Microsoft Certification Authority.
Supplicant configuration is also needed for this scenario but it is out of the scope of this article.
Scope
FortiAuthenticator
802.1X
EAP-TLS
Solution
This configuration requires an understanding of the EAP method used for this case (EAP-TLS)
Explanation and comparison between different methods is provided here:
In EAP-TLS we have mutual authentication between Server and Clients which means all Computers in the Windows AD environment will be issued a Computer certificate and the Server (FortiAuthenticator) will have a Server certificate.
The Trusted CA used for issuing the Client and Server certificates must be imported in FortiAuthenticator.
Starting the implementation:
1) Configure the EAP server certificate using Microsoft Certification authority.
For this step follow this article:
Import the Trusted CA that issued the Server and Computer certificates into FortiAuthenticator as decribed here:
https://docs.fortinet.com/document/fortiauthenticator/6.4.3/administration-guide/22658/trusted-cas
2) Configure FortiAuthenticator integration with LDAP.
- LDAP server:
It is important to set as username attribute: dNSHostName.
In Computers, OU this attribute, it is possible to check the values it will match for each Computer object as below:
I have a host named pc2 which is domain joined with dNSHostName = pc2.forti.lab.
This attribute will be used by FortiAuthenticator to import the object in its user database.
- Windows Domain Join:
In case of failure check this article to resolve:
3) In FortiAuthenticator, create a realm named 'host' by specifying as source the LDAP server created.
Use this realm in the Radius Policies.
4) Create User group for Wired/Wireless Hosts as needed.
In this scenario we will create a group for all PCs that are part of VLAN 50 and connecting wired.
Add Radius Attributes for this group in order to match VLAN 50.
4)Create a Remote synchronization rule.
The Remote synch rule will be used to auto-populate the 'Wired_hosts_Vlan50' group with Host information specified in our LDAP filter.
In this example i have included a filter to match all Wired Computers in the 'finance' group in AD.
In order to configure a proper filter for the environment check this article:
- Specify the base DN and LDAP filter:
- Select the group where the hosts will be included:
Important.
In the 'Certificate binding CA' field, select the Trusted CA that was imported from 1) and include it with '+' in the remote synch rule.
This is important in order for FortiAuthenticator to retrieve computer certificate information during the synchronization process.
- Verify LDAP attributes and make sure username = dNSHostName.
5) Create the Radius Policies.
- Choose the RADIUS Clients.
- No radius attribute criteria.
- Select Authentication type 'EAP-TLS'.
- Specify the 'host' realm created previously as Identity Source and filter the group.
- Authentication factors if needed in the environment.
For debugging and troubleshooting, check the articles below:
Related Fortinet documentation:
