I have searched for this answer already, so I apologise if this has been previously answered.
Our scenario seems to be one in which our vendor is having issues. Our vendor supplies our network and network equipment (Fortinet).
We have a cloud-native fleet of laptops, so there is no on-prem AD anymore. Each device is issued a SCEP device certificate via Intune. We now need to utilise this certificate for device authentication via the Fortinet APs within our office locations. We do not want a Radius server. This approach allows for the device to be connected before the user logging in. This approach also means no credentials are transferred when authenticating.
Is this possible with Fortinet?
If so, how is this accomplished?
I hope someone can add some much-needed insight here.
one question to ask is, what do you want to accomplish? WPA2 Enterprise authentication with certificates or authentication with PSK and certificate authentication for another use?
FortiGate can do certificate authentication with the hidden section "config user peer". You can configure that part and FortiGate will then show the GUI part for it. Certificates then can be matched against these entries with for example "match this CA", or match this subject. This is by default substring based and can be matching the complete string as well. a per-user-section would then need to be configured.
If you want one user to be authenticated against a userDB, you should be clear what this backend is.
WPA2-E is normally against a RADIUS server that is the backend for the user authentication.
If you do not have a radius server as backend, what is the backend? MS intune as backend itself will likely not work (not that I know of), which is why I get the idea of the certificate authentication via config user peer. Again, that is limited to what you actually want to achieve.
We want devices connected to WIFI when powered on as they are shared devices, and we need to send updates etc. when no one is logged in. We have device certs on the devices, so we want to authorise the connection via this device cert, so we know the only devices connected to the wifi are certified corporate devices.
- create a user group and add the peer users to it
- create an SSID, set security-mode to WPA2 Enterprise for example, select 'Local' authentication and then select the group with peer users
I have not, however, found instances of someone actually configuring this, so I can't say for certain that this will work as I believe it should.
Peer users are usually utilized for VPN certificate authentication, not WiFi, so I can't confirm at this point if the WiFi authentication process can handle certificate-only authentication properly or not. From my understanding of the FortiGate authentication process it should, but I don't know for certain, apologies.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Just curious : has anyone been able to make this setup work ? I have the exact same use case at one customer running 7.0 and it doesn't seem to arrive to the authentication phase (haven't had time to pick up a Wireshark trace but zero logs showing up in the Fortigate)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.