Hello,
Just got a brand-new Fortinet setup.
Tried to do EAP-TLS with computer authentication + LDAP + Company PKI.
But can't get it to work, so went back to basic, and using FortiAuthenticator as CA and User authentication
I am getting this error:
2022-01-14T20:46:50.517025+01:00 FortiAuthenticator radiusd[19012]: (85) eap_tls: Verify User Kenneth (GUI user type: 0, id: 3) certificate binding
2022-01-14T20:46:50.517384+01:00 FortiAuthenticator radiusd[19012]: rlm_eap_tls: Certificate binding check failed. (CN=Kenneth, Issuer=/C=DK/L=Viborg/O=HandbergIT/OU=IT/CN=fac.handberg.pri)
2022-01-14T20:46:50.517642+01:00 FortiAuthenticator radiusd[19012]: (85) eap_tls: ERROR: TLS Alert write:fatal:internal error
Have imported the user certificate in Local user certificate personal store.
Do someone have any idea why?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The issue is now resolved with help from Fortinet Technical Support
Pr. Default MS-Certificate Authority does NOT add Subject to the cert req.
After changing from "none" to "DNS name" and re-issued the certificate everything works.
Got it working.
Re-added the user and applied Certificate binding again.
Now it works.
facauth: Updated auth log 'Kenneth': 802.1x authentication successful
If anyone has a guide to EAP-TLS with computer authentication, I would be really happy.
Could you please tell, which attribute did you enter to the "Certificate binding common name" field in the Sync Rule?
Went back to computer-auth, cause it's the main goal.
Cant get pass this error:
5. Radius-EAP Configuration
Hey Kenneth,
welcome to FortiAuthenticator :).
Great that you figured out the initial certificate binding issue.
Regarding EAP-TLS and computer authentication on FortiAuthenticator, we do have a basic guide: https://docs.fortinet.com/document/fortiauthenticator/5.5.0/cookbook/48587/wireless-802-1x-eap-tls-w...
This is written for FortiAuthenticator 5.5, but still largely applies - the main difference is the RADIUS client configuration on FortiAuthenticator, as instead of client+profile config, newer FortiAuthenticators require client+policy config (RADIUS policy is just the former RADIUS client profile, essentially).
As for your issue right now, with the "subject '(null)' or issuer is empty" - based on that error alone, it sounds as if your FortiAuthenticator is getting a client certificate that doesn't contain a subject or CA, or the subject/CA doesn't match up with the binding.
- double-check the certificate configured on your wireless client, in particular subject and issuer
- double-check the certificate binding on FortiAuthenticator
- take a capture on FortiAuthenticator to observe the RADIUS/EAP exchange and perhaps double-check certificates this way (how to take captures on FortiAuthenticator: https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-How-to-run-a-packet-capture-with/...)
- if you still have the issue, reach out to Fortinet Technical Support and open a ticket for some dedicated troubleshooting
Hello Debbie,
Thanks for your answer.
There are some things in the guide, that I cant do in the newer versions.
Like Software switch with internal and wifi interfaces.
I can created a ticket with Technical support.
When I get it to work, I'll post the findings here.
The issue is now resolved with help from Fortinet Technical Support
Pr. Default MS-Certificate Authority does NOT add Subject to the cert req.
After changing from "none" to "DNS name" and re-issued the certificate everything works.
Thank you for sharing the solution :)
Does you user have a DNS name?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1629 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.