Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KennethH
New Contributor III

Created on ‎01-14-2022 11:59 AM Edited on ‎01-14-2022 12:00 PM

EAP-TLS challenges

Hello,

Just got a brand-new Fortinet setup.
Tried to do EAP-TLS with computer authentication + LDAP + Company PKI.
But can't get it to work, so went back to basic, and using FortiAuthenticator as CA and User authentication

I am getting this error:

 

2022-01-14T20:46:50.517025+01:00 FortiAuthenticator radiusd[19012]: (85) eap_tls: Verify User Kenneth (GUI user type: 0, id: 3) certificate binding
2022-01-14T20:46:50.517384+01:00 FortiAuthenticator radiusd[19012]: rlm_eap_tls: Certificate binding check failed. (CN=Kenneth, Issuer=/C=DK/L=Viborg/O=HandbergIT/OU=IT/CN=fac.handberg.pri)
2022-01-14T20:46:50.517642+01:00 FortiAuthenticator radiusd[19012]: (85) eap_tls: ERROR: TLS Alert write:fatal:internal error

 

Have imported the user certificate in Local user certificate personal store.

 

Do someone have any idea why?

Learning fortinet....... :)
Learning fortinet....... :-)
Labels:
6937
0 Kudos
1 Solution
KennethH
New Contributor III

Created on ‎01-18-2022 11:40 PM Edited on ‎01-18-2022 11:41 PM

The issue is now resolved with help from Fortinet Technical Support
Pr. Default MS-Certificate Authority does NOT add Subject to the cert req.
After changing from "none" to "DNS name" and re-issued the certificate everything works.

 

 

KennethH_0-1642577910897.png

 

Learning fortinet....... :)

View solution in original post

Learning fortinet....... :-)
6894
8 REPLIES 8
KennethH
New Contributor III

Created on ‎01-15-2022 05:57 AM

Got it working.
Re-added the user and applied Certificate binding again.
Now it works.
facauth: Updated auth log 'Kenneth': 802.1x authentication successful


If anyone has a guide to EAP-TLS with computer authentication, I would be really happy.

Learning fortinet....... :)
Learning fortinet....... :-)
6884
0 Kudos
iMaMinSKY
New Contributor
In response to KennethH

Created on ‎10-14-2024 08:24 AM

Could you please tell, which attribute did you enter to the "Certificate binding common name" field in the Sync Rule?

598
0 Kudos
KennethH
New Contributor III

Created on ‎01-15-2022 11:53 PM Edited on ‎01-16-2022 12:14 AM

Went back to computer-auth, cause it's the main goal.
Cant get pass this error:

 

  • client certificate: subject '(null)' or issuer '/DC=pri/DC=handberg/CN=handberg-HANDITDC01-CA' is empty

 

  1. The computer has the certificate from CA in local computer store.
  2. Wifi profile is set to use computer authentication.
  3. Certificate binding is set on the user
    KennethH_1-1642320618571.png
  4. LDAP User Mapping Attributes is set like this:

          KennethH_0-1642320368033.png

    5. Radius-EAP Configuration

         KennethH_3-1642320816750.png

 

 

 

 

 

 

 

Learning fortinet....... :)
Learning fortinet....... :-)
6877
0 Kudos
Debbie_FTNT
Staff
Staff
In response to KennethH

Created on ‎01-17-2022 04:54 AM

Hey Kenneth,

welcome to FortiAuthenticator :).
Great that you figured out the initial certificate binding issue.

Regarding EAP-TLS and computer authentication on FortiAuthenticator, we do have a basic guide: https://docs.fortinet.com/document/fortiauthenticator/5.5.0/cookbook/48587/wireless-802-1x-eap-tls-w...
This is written for FortiAuthenticator 5.5, but still largely applies - the main difference is the RADIUS client configuration on FortiAuthenticator, as instead of client+profile config, newer FortiAuthenticators require client+policy config (RADIUS policy is just the former RADIUS client profile, essentially).

As for your issue right now, with the "subject '(null)' or issuer is empty" - based on that error alone, it sounds as if your FortiAuthenticator is getting a client certificate that doesn't contain a subject or CA, or the subject/CA doesn't match up with the binding.
- double-check the certificate configured on your wireless client, in particular subject and issuer
- double-check the certificate binding on FortiAuthenticator
- take a capture on FortiAuthenticator to observe the RADIUS/EAP exchange and perhaps double-check certificates this way (how to take captures on FortiAuthenticator: https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-How-to-run-a-packet-capture-with/...)
- if you still have the issue, reach out to Fortinet Technical Support and open a ticket for some dedicated troubleshooting

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
6858
0 Kudos
KennethH
New Contributor III
In response to Debbie_FTNT

Created on ‎01-17-2022 05:44 AM

Hello Debbie,
Thanks for your answer.
There are some things in the guide, that I cant do in the newer versions.
Like Software switch with internal and wifi interfaces.
I can created a ticket with Technical support.
When I get it to work, I'll post the findings here.

Learning fortinet....... :)
Learning fortinet....... :-)
6857
0 Kudos
KennethH
New Contributor III

Created on ‎01-18-2022 11:40 PM Edited on ‎01-18-2022 11:41 PM

The issue is now resolved with help from Fortinet Technical Support
Pr. Default MS-Certificate Authority does NOT add Subject to the cert req.
After changing from "none" to "DNS name" and re-issued the certificate everything works.

 

 

KennethH_0-1642577910897.png

 

Learning fortinet....... :)
Learning fortinet....... :-)
6895
Debbie_FTNT
Staff
Staff
In response to KennethH

Created on ‎01-19-2022 12:41 AM

Thank you for sharing the solution :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
6837
0 Kudos
iMaMinSKY
New Contributor
In response to KennethH

Created on ‎10-14-2024 08:22 AM

Does you user have a DNS name?

606
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.