Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Adam1
New Contributor

Device Certificate Wifi Authentication

Hello, 

 

I have searched for this answer already, so I apologise if this has been previously answered.

 

Our scenario seems to be one in which our vendor is having issues. Our vendor supplies our network and network equipment (Fortinet). 

 

We have a cloud-native fleet of laptops, so there is no on-prem AD anymore. Each device is issued a SCEP device certificate via Intune. We now need to utilise this certificate for device authentication via the Fortinet APs within our office locations. We do not want a Radius server. This approach allows for the device to be connected before the user logging in. This approach also means no credentials are transferred when authenticating. 

 

My questions: 

 

Is this possible with Fortinet? 

If so, how is this accomplished?

 

I hope someone can add some much-needed insight here.

7 REPLIES 7
Anthony_E
Community Manager
Community Manager

 

Hello Adam,

 

No need to apologize :)!

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Adam,

 

I am still looking for an answer to your question.

I or somebody else, will come back to you ASAP.

 

Regards,

Anthony-Fortinet Community Team.
Adam1
New Contributor

Thank you

Markus_M
Staff
Staff

Hi Adam,

 

one question to ask is, what do you want to accomplish? WPA2 Enterprise authentication with certificates or authentication with PSK and certificate authentication for another use?

FortiGate can do certificate authentication with the hidden section "config user peer". You can configure that part and FortiGate will then show the GUI part for it. Certificates then can be matched against these entries with for example "match this CA", or match this subject. This is by default substring based and can be matching the complete string as well. a per-user-section would then need to be configured.

If you want one user to be authenticated against a userDB, you should be clear what this backend is.

WPA2-E is normally against a RADIUS server that is the backend for the user authentication.

If you do not have a radius server as backend, what is the backend? MS intune as backend itself will likely not work (not that I know of), which is why I get the idea of the certificate authentication via config user peer. Again, that is limited to what you actually want to achieve.

 

Best regards,

 

Markus

 

Adam1
New Contributor

We want devices connected to WIFI when powered on as they are shared devices, and we need to send updates etc. when no one is logged in. We have device certs on the devices, so we want to authorise the connection via this device cert, so we know the only devices connected to the wifi are certified corporate devices. 

Debbie_FTNT

Hey Adam,

the setup would have to look something like this, as far as I have been able to determine:

- create peer users for the devices in FortiGate

-> the peer user config should match device certificates

-> more information on that here:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/776666/creating-a-pki-peer-user

- create a user group and add the peer users to it

- create an SSID, set security-mode to WPA2 Enterprise for example, select 'Local' authentication and then select the group with peer users

 

I have not, however, found instances of someone actually configuring this, so I can't say for certain that this will work as I believe it should.

Peer users are usually utilized for VPN certificate authentication, not WiFi, so I can't confirm at this point if the WiFi authentication process can handle certificate-only authentication properly or not. From my understanding of the FortiGate authentication process it should, but I don't know for certain, apologies.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
FredLens
New Contributor

Just curious : has anyone been able to make this setup work ? I have the exact same use case at one customer running 7.0 and it doesn't seem to arrive to the authentication phase (haven't had time to pick up a Wireshark trace but zero logs showing up in the Fortigate)

Thanks !!

Labels
Top Kudoed Authors