Description
This article describes how FortiAuthenticator authenticates computers in a wired or wireless environment using 802.1x EAP-TLS.
Scope
FortiAuthenticator.
802.1X.
EAP-TLS.
Solution
In this scenario FortiAuthenticator will authenticate Computers in a Wired/Wireless environment using 802.1x EAP-TLS.
For this scenario, the Certificates will be issued by Microsoft Certification Authority.
Supplicant configuration is also necessary for this scenario but is not covered in this article.
This configuration requires an understanding of the EAP method used for this case (EAP-TLS)
An explanation and a comparison between different methods is provided in this section of the administration guide.
In EAP-TLS, mutual authentication occurs between the server and clients. This means all computers in the Windows AD environment will be issued a computer certificate and the server (FortiAuthenticator) will have a server certificate.
The Trusted CA is used for issuing the client and server certificates must be imported in FortiAuthenticator.
Starting the implementation:
- Configure the EAP server certificate using Microsoft Certification authority.
Follow Technical Tip: How to issue EAP certificate with Microsoft for the necessary steps.
Import the Trusted CA that issued the Server and Computer certificates into FortiAuthenticator as described in the administration guide.
- Configure the FortiAuthenticator integration with LDAP.
On the LDAP server, it is important to set the username attribute as 'dNSHostName'.
In computers, OU this attribute, it is possible to check the values will match for each computer object as below:
In this example, there is a host named pc2 which is a domain joined with dNSHostName = pc2.forti.lab.
This attribute will be used by FortiAuthenticator to import the object to its user database.
Windows Domain Join:
If the setup fails, consult this troubleshooting guide.
- In FortiAuthenticator, create a realm named 'host' by specifying the LDAP server created as the source.
Use this realm in the Radius Policies.
- Create a user group for wired/wireless hosts as needed.
In this scenario, a group will be created for PCs that are part of the VLAN 50 and its wired connections.
Add Radius Attributes for this group and match them with the VLAN 50 details.
- Create a Remote synchronization rule. The Remote sync rule will be used to auto-populate the 'Wired_hosts_Vlan50' group with host information specified in the LDAP filter.
In this example, a filter was included to match all wired computers in the 'finance' group in AD.
To configure an ideal filter for the environment, see Technical Tip: LDAP filter syntax for groups and remote user sync.
Specify the base DN and LDAP filter:
Select the group where the hosts will be included:
Important:
In the 'Certificate binding CA' field, select the Trusted CA that was imported from step 1 and include it with '+' in the remote sync rule.
This is important for FortiAuthenticator to retrieve computer certificate information during the synchronization process.
Verify LDAP attributes and make sure username = dNSHostName.
- Create the Radius Policies.
Choose the RADIUS Clients.
No radius attribute criteria:
Select the 'EAP-TLS' authentication type:
Specify the 'host' realm created previously as an Identity Source and filter the group.
As of FortiAuthenticator 6.5.2 and above, it is possible to select trusted CA(s) that have signed client certificates under the Identity Sources section. It is possible to select multiple root or intermediate CAs. These Certificate Authorities must be present on FortiAuthenticator under Certificate Management -> Certificate Authorities -> Trusted CAs.
Authentication factors if needed in the environment.
For debugging and troubleshooting, check the following articles:
- Troubleshooting Tip: How to debug FortiAuthenticator Services.
- Troubleshooting Tip: How to work with FortiAuthenticator.
Related Fortinet documentation:
Wired 802.1x EAP TLS with computer authentication - FortiAuthenticator cookbook.
