Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
doncacciatoconsuting
New Contributor III

Created on ā€Ž08-01-2024 03:15 PM

FAC - Wifi EAP-TLS authetication using only Machine certs

I'm trying to test authentication by using Machine certs instead of User certs. When I configure the windows supplicant to use "User or Computer" OR "User" I can authenticate. If I force the setting to "Computer" it fails. Both the computer and user certs are valid and signed by same CA.

 

I must be missing something in the Radius server config. Any ideas ?

Labels:
378
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to doncacciatoconsuting

Created on ā€Ž08-02-2024 08:24 AM Edited on ā€Ž08-02-2024 08:30 AM

Without the binding, it should work as long as the certificate presented by the supplicant is valid. You can have more information by checking the RADIUS> Authentication debug logs: https://<fac>/debug/

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

331
4 REPLIES 4
xshkurti
Staff
Staff

Created on ā€Ž08-02-2024 07:17 AM

FAC should be root ca for certificate issuing.

Wireless 802.1x EAP-TLS with computer authentication | FortiAuthenticator 5.5.0 | Fortinet Document ...

349
ebilcari
Staff
Staff

Created on ā€Ž08-02-2024 07:33 AM Edited on ā€Ž08-02-2024 07:38 AM

What version of FAC is running in this setup? Previous versions, would require certificate bindings with a valid username (hostname). Later version allows also certificate checks only to a Trusted CA:

 

trustca.PNG

More information can be found here, Identity source section.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
343
doncacciatoconsuting
New Contributor III
In response to ebilcari

Created on ā€Ž08-02-2024 08:03 AM

Yes, I have noticed in 6.6 you can use a local or trusted CA instead of bindings. Even when I select the "Trusted CA" option, if the supplicant only sends a Computer cert signed by that particular CA it fails. When the "User or Computer" OR "User", it works. I guess it's not a huge deal because both certs will be present, so why not send both. At this point I'm just curious why.

335
0 Kudos
ebilcari
Staff
Staff
In response to doncacciatoconsuting

Created on ā€Ž08-02-2024 08:24 AM Edited on ā€Ž08-02-2024 08:30 AM

Without the binding, it should work as long as the certificate presented by the supplicant is valid. You can have more information by checking the RADIUS> Authentication debug logs: https://<fac>/debug/

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
332
Announcements

Select Forum Responses to become Knowledge Articles!

Select the ā€œNominate to Knowledge Baseā€ button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.