FortiOS v7.4.2 or later supports certificate WPA2-enterprise authentication using wildcard PKI user.

The below topology is used in this demonstration, where the FortiAP is managed by FortiGate, and a Windows server with AD-CS and NPS role is used as a radius server.

Follow the below steps to configure the NPS and the FortiGate:

1. Configure the FortiGate as the Radius client on NPS and configure the connection request policy if required:

2. Configure network policy on NPS, select the User group in the conditions tab:

3. Configure Authentication Methods under the Constraints tab, Add EAP-MSCHAPv2 as the EAP Type, and enable MS-CHAP-v2.

4. Configure the radius attribute, which the Radius sends to the FortiGate after successful authentication:

5. Export the Root certificate authority from the Windows server and import it on the FortiGate as a remote CA, shown in the screenshot below (Also import the intermediate certificate authority certificate if there is any):

For this demonstration, the Root CA signed the certificate for the end user certificate.

1. Configure a Radius server on the FortiGate as shown below:

config user radius

    edit "wsso-radius"

        set server "10.0.11.250"

        set secret ENC xxxxyyyyzzzz

        set auth-type ms_chap_v2

        set account-key-processing strip

    next

end

2. Configure a wildcard PKI user with MFA set to the Radius server configured in the above step:

config user peer

    edit "wsso-pki"

        set ca "CA_Cert_1"

        set mfa-mode subject-identity

        set mfa-server "wsso-radius"

    next

end

3. Configure a user group with the PKI user and the Radius server with a group-name attribute:

config user group

    edit "Devices-Group"

        set member "wsso-pki" "wsso-radius"

        config match

            edit 1

                set server-name "wsso-radius"

                set group-name "Devices"

            next

        end

    next

end

4. Configure the SSID authentication user group and use the group created in the above steps:

config wireless-controller vap

    edit "wsso"

        set ssid "wsso"

        set security wpa2-only-enterprise

        set pmf enable

        set auth usergroup

        set usergroup "Devices-Group"

        set schedule "always"

    next

end

From the end-user machine try to connect to the WiFi SSID, select the user certificate to authenticate, and trust the certificate provided by the FortiGate.

Note:

To change this certificate provided by the FortiGate, Navigate to WiFi & Switch Controller -> WiFi Settings then change WiFi Certificate and WiFi CA Certificate.

After successful authentication, use the below command to check the connected user:

diagnose firewall auth list

10.0.97.2, wsso-pki

        type: wsso, id: 0, duration: 12, idled: 0

        expire: 120, allow-idle: 120

        flag(100): wsso

        packets: in 170 out 174, bytes: in 68931 out 53868

        group_id: 5
        group_name: Devices-Group

----- 1 listed, 0 filtered ------

Troubleshooting:

Execute the following commands to enable debugging on the FortiGate, then reproduce the issue if there is one:

diagnose debug console timestamp enable

diagnose debug app fnbamd -1

diagnose debug app eap_proxy -1

diagnose debug enable