Hi guys,
I wonder how FortiAPs handle the EAP-PEAP authentication with RADIUS. In EAP-PEAP authentication, first the RADIUS server authenticates against the user sending a certificate to him, and then the user authenticates with his username and password against the RADIUS server.
I am new in FortiAPs, but other vendors such as Aruba, have a feature called AP termination or EAP offload. With EAP offload disabled, the RADIUS server sends a certificate to the user in order to authenticate itself and then the user authenticates with his credentials. But when the RADIUS server doesn't have a certificate for authenticating or you don't want to use that certificate for any reason, you can enable EAP offload. When enabled, the AP itself acts as the authentication server, the AP terminates the outer layers of the EAP protocol, only relaying the innermost layer (credentials) to the external RADIUS server. This feature can be enabled or disabled just with a click. But I don't see this feature in the FortiGate GUI, so I don't know if FortiAPs can act as the authentication server, if they cannot, or if there is some default. Can you help me?
Regards,
Julián
Hi,
Any idea?
Regards,
Julián
I don't have an answer for you, but such EAP termination sounds useful. If you don't get an answer here I'd contact Fortinet directly.
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.