Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
achraf_harkati
New Contributor II

Fortiauthenticator : SCEP Issue

Hi All,

 

I'm wondering if Anyone has used FortiAuthenticator to perform BYOD ?

I'm testing FAC 5.1.2 in a lab envirement to authenticate WiFi users using EAP-TLS, the FAC has a CA certificate configured (signed by a Win2016 root CA). And I'm stuck at getting devices self-enrolled to obtain a certificate that they can use for EAP-TLS.

I've enabled Device Self-enrollment using the CA Certificate Template (SCEP request is configured using Wildcard).

At the moment, I'm unable to enroll a client device on the url : https://FAC-IP/cert/scep . I'm getting the following error on the Browser : "operation" parameter is required

 

I've also tried http (enabled http on the Interface) instead of https and keep getting the same error.

 

Has anyone faced the same problem before ?

Has anyone succefully got device self-enrollment working on FAC using SCEP ?

Do FAC provide an onboarding portal similar to other products such as Aruba Clearpass ?

 

Your help will be very much appreciated.

 

Achraf.

 

 

 

 

11 REPLIES 11
xsilver_FTNT
Staff
Staff

Hi,

 

"At the moment, I'm unable to enroll a client device on the url : https://FAC-IP/cert/scep . I'm getting the following error on the Browser : "operation" parameter is required"

 

That's because the URL is not intended to be used for human interaction and manual enrollment.

It is for SCEP enrollment (SCEP, PKCS packed CSR [Certificate Signing Request], is expected as input), therefore you are getting that error as you haven't sent your GET with appropriate data.

If you do, for example, new cert generation via CSR and choose SCEP as signing method from FGT, then it will send PKCS encrypted data to FAC via this URL (you have to specify in FGT).

Then FAC will check CSR against SCER Enrolment Requests rules and process accordingly (auto enroll/wait for admin enrollment/reject basically).

 

Kind regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

achraf_harkati

Thanks Tomas for the Clarifications.

I confirm FGT can make SCEP requests using that url and works fine since a CSR is included with the request.

My goal is to have this certificate installed on a User laptop and use it for EAP-TLS authentication. When I create a user certificate and install it manually on a user laptop everthing (EAP-TLS auth) works fine as well.

Now do FAC provide a protal that I can use to have users go to and make a certificate request that they can use for EAP-TLS ?

If yes, do you have the URL ?

If not, what is the purpose of the claimed "Device Self-Registration" ? All Fortinet documentation outlines the steps to configure "Device Self-Registration" but does not go further and explain how we can take advantage of this feature from a user perspective? Note that the FAC documentation explains very well the  Guest "User Self-Registration" steps.

Bottomline, can we do BYOD Device Onborading like othe vendors do ?

 

Thanks again for your help.

Regards.

 

Achraf.

 

 

achraf_harkati

Thanks Tomas for the Clarifications.

I confirm FGT can make SCEP requests using that url and works fine since a CSR is included with the request.

My goal is to have this certificate installed on a User laptop and use it for EAP-TLS authentication. When I create a user certificate and install it manually on a user laptop everthing (EAP-TLS auth) works fine as well.

Now do FAC provide a protal that I can use to have users go to and make a certificate request that they can use for EAP-TLS ?

If yes, do you have the URL ?

If not, what is the purpose of the claimed "Device Self-Registration" ? All Fortinet documentation outlines the steps to configure "Device Self-Registration" but does not go further and explain how we can take advantage of this feature from a user perspective? Note that the FAC documentation explains very well the  Guest "User Self-Registration" steps.

Bottomline, can we do BYOD Device Onborading like othe vendors do ?

 

Thanks again for your help.

Regards.

 

Achraf.

mikebutash

I am interested in the answer to this as well, if there was one.  I'm working with Authenticator for a customer right now as well as a POC, and would like to see if this works nicely with various other vendor kit/software.  SCEP with standard devices like routers/firewalls, any scep client basically (outside authenticator with human interaction) is ideal.

-mb
-mb
tedauction
New Contributor III

I am also looking for an answer on this.

Specifically has anyone got FAC SCEP working with Google MDM ?

vraev
Staff
Staff
80211WiGuy
New Contributor III

Hi VR,

We're trying to get this working with our MDM solution which supports real CSR/SCEP requests - you can even test this by creating individual templates with Apple Configurator to build .mobileconfig files for testing before trying automate it with MDM.

 

The self-service portal introduces a vulnerability where once the user downloads the profile, they're free to install that profile on any device they wish.  We want full control over the certificate deployment which is why we're trying to implement this with SCEP.

 

Are there any guides on how to do this solely on FAC?  All I seem to find are guides referencing Azure or Google.

80211WiGuy
New Contributor III

Thanks VR,

I've been trying to work through that article and adapt it for our needs with no luck unfortunately.

Labels
Top Kudoed Authors