Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
achraf_harkati
New Contributor

Fortiauthenticator : SCEP Issue

Hi All,

 

I'm wondering if Anyone has used FortiAuthenticator to perform BYOD ?

I'm testing FAC 5.1.2 in a lab envirement to authenticate WiFi users using EAP-TLS, the FAC has a CA certificate configured (signed by a Win2016 root CA). And I'm stuck at getting devices self-enrolled to obtain a certificate that they can use for EAP-TLS.

I've enabled Device Self-enrollment using the CA Certificate Template (SCEP request is configured using Wildcard).

At the moment, I'm unable to enroll a client device on the url : https://FAC-IP/cert/scep . I'm getting the following error on the Browser : "operation" parameter is required

 

I've also tried http (enabled http on the Interface) instead of https and keep getting the same error.

 

Has anyone faced the same problem before ?

Has anyone succefully got device self-enrollment working on FAC using SCEP ?

Do FAC provide an onboarding portal similar to other products such as Aruba Clearpass ?

 

Your help will be very much appreciated.

 

Achraf.

 

 

 

 

5 REPLIES 5
xsilver_FTNT
Staff
Staff

Hi,

 

"At the moment, I'm unable to enroll a client device on the url : https://FAC-IP/cert/scep . I'm getting the following error on the Browser : "operation" parameter is required"

 

That's because the URL is not intended to be used for human interaction and manual enrollment.

It is for SCEP enrollment (SCEP, PKCS packed CSR [Certificate Signing Request], is expected as input), therefore you are getting that error as you haven't sent your GET with appropriate data.

If you do, for example, new cert generation via CSR and choose SCEP as signing method from FGT, then it will send PKCS encrypted data to FAC via this URL (you have to specify in FGT).

Then FAC will check CSR against SCER Enrolment Requests rules and process accordingly (auto enroll/wait for admin enrollment/reject basically).

 

Kind regards,

Tomas

Tom xSilver, planet Earth, over and out!

achraf_harkati

Thanks Tomas for the Clarifications.

I confirm FGT can make SCEP requests using that url and works fine since a CSR is included with the request.

My goal is to have this certificate installed on a User laptop and use it for EAP-TLS authentication. When I create a user certificate and install it manually on a user laptop everthing (EAP-TLS auth) works fine as well.

Now do FAC provide a protal that I can use to have users go to and make a certificate request that they can use for EAP-TLS ?

If yes, do you have the URL ?

If not, what is the purpose of the claimed "Device Self-Registration" ? All Fortinet documentation outlines the steps to configure "Device Self-Registration" but does not go further and explain how we can take advantage of this feature from a user perspective? Note that the FAC documentation explains very well the  Guest "User Self-Registration" steps.

Bottomline, can we do BYOD Device Onborading like othe vendors do ?

 

Thanks again for your help.

Regards.

 

Achraf.

 

 

achraf_harkati

Thanks Tomas for the Clarifications.

I confirm FGT can make SCEP requests using that url and works fine since a CSR is included with the request.

My goal is to have this certificate installed on a User laptop and use it for EAP-TLS authentication. When I create a user certificate and install it manually on a user laptop everthing (EAP-TLS auth) works fine as well.

Now do FAC provide a protal that I can use to have users go to and make a certificate request that they can use for EAP-TLS ?

If yes, do you have the URL ?

If not, what is the purpose of the claimed "Device Self-Registration" ? All Fortinet documentation outlines the steps to configure "Device Self-Registration" but does not go further and explain how we can take advantage of this feature from a user perspective? Note that the FAC documentation explains very well the  Guest "User Self-Registration" steps.

Bottomline, can we do BYOD Device Onborading like othe vendors do ?

 

Thanks again for your help.

Regards.

 

Achraf.

mikebutash

I am interested in the answer to this as well, if there was one.  I'm working with Authenticator for a customer right now as well as a POC, and would like to see if this works nicely with various other vendor kit/software.  SCEP with standard devices like routers/firewalls, any scep client basically (outside authenticator with human interaction) is ideal.

tedauction
New Contributor III

I am also looking for an answer on this.

Specifically has anyone got FAC SCEP working with Google MDM ?