FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
martinsd
Staff
Staff
Article Id 256911
Description This article describes how to set up an Okta environment for WiFi authentication.
Scope Fortigate + FortiAP
Solution OKTA.png

 

The data flow has the following steps:

1) A supplicant (mobile device/laptop/desktop) tries to associate with the FortiAP.

2) The FortiAP contacts the Okta RADIUS agent with the user's identity.

3) The Okta RADIUS agent requests the start of the EAP-TTLS conversation, which is forwarded to the supplicant.

4) A TLS channel is established between the supplicant and the Okta RADIUS agent.
Within the tunnel, the supplicant sends the configured username and password to the Okta RADIUS agent.

5) The Okta RADIUS agent sends authentication information to the Okta tenant.

6) The Okta tenant sends the authentication response back to the Okta RADIUS agent.

7) The Okta RADIUS agent sends an Accept or Reject message to the FortiAP.

8) The FortiAP accepts or rejects the terminal access request.

 

Because standard EAP-TTLS will be used to authenticate, it is necessary to set up a preconfigured Okta application called Cisco Meraki Wireless LAN (RADIUS).

 

OKTA Admin Console Config

 

Add app

 

1) In the Admin Console, go to Applications -> Applications.

2) Select Browse App Catalog.

3) Search for Cisco Meraki Wireless LAN (RADIUS), select it, and then select Add Integration.

4) Enter a unique application label (like Fortinet Wireless LAN) and select Next.

5) In the Sign On tab, complete the following:

6) Clear the Authentication checkbox.

7) Enter a UDP Port (for example, 1812). The UDP port values of the app and the client gateway must match.

- Enter the Secret Key to use to encrypt the user password. The secret key for the app and the client gateway must match.

- Select an appropriate username format from the Application username format dropdown list.

8) To enable EAP-TTLS:

a) Scroll to the Authentication Protocol section of the Sign On tab and select Edit. Select Use EAP-TTLS authentication.

b) Upload the server certificate chain and entity private key. Generate a certificate and private key from a trusted CA and import it as a *.pfx or *.p12. Use <org-name>.okta.com as the CN and SAN (see https://help.okta.com/en-us/Content/Topics/integrations/about-certificates.htm for more information about certificates).

c) Enter the password used to protect the certificate and key. 

d) Select the TLS version.

e) Select Save.

9) To enable authentication with AD UPN or an AD Sam account name:

a) Select the Sign On tab.

b) Scroll to the Advanced RADIUS Settings section.

c) Select Edit.

d) In the Authentication section, select Enable UPN or SAM Account Name Login.

After enabling this setting, users that are assigned this application must have their username set to the AD user principal name prior to being assigned the RADIUS application. For the SAM Account Name to be used successfully, it must have the same prefix as the UPN.

e) Select Save.

f) Scroll to the Settings section of the Sign On tab.

g) Select Edit.

h) Select Email from the Application username format pulldown list to import users with the full username@domain.com values.

i) Select Save.

 

Assign app to groups

 

1) Select the Assignments tab.

2) Select Assign and select Assign to Groups.

3) Locate the group to assign the app to and select Assign.

4) Complete the fields in the Assign Cisco Meraki Wireless LAN (RADIUS) to Groups dialog menu.

5) Select Save and go back. The Assigned button for the group is disabled to indicate the app is assigned to the group.

6) Optionally, assign the app to additional groups by repeating steps 3 through 5 for each.

7) Select Done.

 

Install the Okta RADIUS Server agent

 

Follow one of these installation guides:

 

Install Okta RADIUS Server agent on Windows - https://help.okta.com/en-us/Content/Topics/integrations/Agent_Installing_the_Okta_Radius_Agent.htm

 

Install Okta RADIUS agent on Linux - https://help.okta.com/en-us/Content/Topics/integrations/Agent_Installing_the_Okta_Radius_Agent-linux...

 

Configure the FortiGate

 

Define a RADIUS Server Profile

 

RADIUS.png

 

Define the SSID Authentication

 

SSID.png

 

Configure EAP-TTLS supported clients

 

Configure Apple macOS device

 

1) Install and open Apple Configurator from the App Store on the Mac.

2) Select File -> New Profile.

3) Select the General tab.

4) Enter a Name for the profile.

5) Select the Certificates tab.

6) Select Configure and navigate to a directory that contains a valid root certificate.

7) Add the root certificate.

8) Select the Wi-Fi tab. Enter values appropriate for the environment.

9) In the Trust tab within the Wi-Fi section, select the root certificate previously added as a Trusted Certificate.

10) Select File -> Save and save the file with a .mobileconfig extension. If the profile has an error message is displayed, ignore the message and select Save Anyway.

11) Add the 802.1X Wifi user profile to the system.

a) Select Profiles from System Preferences.

b) Select the + sign to add the Wifi Profile selected previously.

12) Connect to the network using the Network panel in System Preferences. Successful logins will appear in the FortiView Dashboard.

 

When an AD or Okta password is updated, the user isn't prompted by macOS to update the password for the Wi-Fi connection. Instead, macOS continues to try to connect using the previous password, which can result in an account lockout.

 

Configure Apple iOS device

 

1) Install and open Apple Configurator from the App Store on the Mac.

2) Select File -> New Profile.

3) Select the General tab.

4) Enter a Name for the profile.

5) Select the Certificates tab.

6) Select Configure and navigate to a directory that contains a valid root certificate.

7) Add the root certificate.

8) In the Wi-Fi tab, enter values appropriate for the environment.

9) In the Trust tab within the Wi-Fi section, choose to trust the root certificate previously added.

10) Select File -> Save and save the file with a .mobileconfig extension. If any error occurs, select Save Anyway.

11) Connect the iOS device to the Mac using a USB cable. The device will appear in the All Devices view in Apple Configurator.

12) From the All Devices view, right-click the device and choose the option to add a profile. Select the profile previously created and follow the prompts on the Mac and mobile device.

14) Connect to the Wi-fi network.

 

Configure Android device

 

1) Install a EAP-TTLS root certificate

a) Copy the certificate onto the Android device using a USB connected to the laptop or some other means.

b) On the device, navigate to Settings -> Security & location -> Advanced -> Encryption & credentials.

c) Under Credential Storage, tap the option to Install from device storage.

d) Navigate to the location of the saved certificate.

e) Tap the file.

f) Enter a name for the certificate and choose Wi-Fi.

g) Tap OK.

2) Open Wi-Fi settings and select the SSID to connect to. If it's not visible, choose the option to Add network and enter the network SSID name and set the Security type to 802.1x EAP.

3) Set the following options:

 

Field Value
EAP Methods TTLS
CA certification Choose the just installed certificate
Identity Okta username
Password Okta password/MFA

Advanced

Under advanced set the following:

- Phase 2 authentication: PAP

- Anonymous identity: This value is the user's unencrypted identity outside the TLS tunnel. Since the RADIUS agent does not use this currently,  enter any random value.

 

The device should now be able to connect to the Wi-Fi network.

 

Windows 10 device

1) Navigate to the Network and Sharing Center and choose to Set up a new connection or network and then select Next.

2) Choose Manually connect to a wireless network, then select Next.

3) Enter the SSID of the wireless network as the Network name.

4) Choose WPA2-Enterprise for the security type.

5) Select Next.

6) Select Change connection settings.

7) Select the Security tab.

8) Change the network authentication method to Microsoft: EAP-TTLS.

9) Select Settings.

10) In the TTLS Properties page, use the following settings:

 

Setting Value
Enable identity privacy anonymous
Trusted Root Certification Authorities

Select the root certificate used to sign the customer EAP-TTLS server certificate.

Within Client authentication Choose Select a non-EAP method for authentication under Client authentication. Choose Unencrypted password (PAP) from the dropdown list of authentication methods.

 

11) Return to the Network Properties dialog menu and select Advanced settings.

12) Select Specify authentication mode. Choose User authentication from the dropdown list. Select OK.

13) Connect to the RADIUS enabled SSID.

 

Related document

 

https://help.okta.com/en-us/Content/Topics/integrations/integrations.htm

 

Contributors