Hi all,
I'm not a Fortigate or Freeradius expert by any means but I usually manage to do things if I get some notes how to do things.
I would like to accomplish the following.
Part 1
Authenticate windows 11 native ipsec vpn users with certificates (EAP-TLS)
Firewall is Fortigate with 7.2.7 firmware
Remote user ipsec vpn with certificates, users are stored in LDAP (Not AD) directory, certificates contain e-mail address and cn.
Freeradius is used as Radius server, connected to LDAP Backend, want to use that LDPA server to verify certificate and return authenticated/not authenticated.
Part 2
WPA2 authentication for windows 11 users with certificates (EAP-TLS)
Wireless authentication for primary Windows 11 users, Fortinet Access Points connected to Freeradius server via Fortigate Firewall.
Part 3
802.1X authentication for wired clients, Fortinet Switches connected to Fortigate firewall and Freeradius server.
There are lots of playbooks for doing this with Windows AD and Windows NPS server, but not so much for Freeradius.
I suppose that there are people that has done this before and could share pointers how to get it to work.
I know that it probably would be easier to setup with Fortinet Radius or NPS, but I don’t have that so I have to work with what I got
Thanks in advance
Lennart
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Lelle68,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
Hi Lelle68,
freeradius may not be covered well here, simply because we don't do much with direct configuration.
I suggest you check the freeradius forums/documentation directly:
https://www.freeradius.org/documentation/freeradius-server/4.0.0/tutorials/eap-tls.html
EAP-TLS itself is only a protocol, encapsulated in RADIUS and the server won't really care what the use case of the end user is (IPSec/WPA2/Wired-EAP-auth).
It will respond, and both server AND client MUST trust the certificate that the other node sends. So the RADIUS server must trust the client certificate and have the issuer added to its trusted root CA store. Conversely, the client must trust what the server sends in the TLS exchange.
Keep also in mind that user and computer/machine authentication also do not matter much.
- The client must be set up to sent the correct certificate to authenticate
- The RADIUS server likewise will receive a certificate via RADIUS and then evaluate it. Whether host/laptop123 or user123 is part of the subject is solely up to the RADIUS server configuration to read/map.
Documentation on the FortiGate part and your questions:
2) https://docs.fortinet.com/document/fortiauthenticator/5.5.0/cookbook/653067/configuring-the-fortiwif... (the FortiGate part)
3) https://docs.fortinet.com/document/fortiauthenticator/5.5.0/cookbook/999322/configuring-the-switch (the switch part)
A bit more detail on how to configure the Windows side is found here:
https://community.fortinet.com/t5/FortiSwitch/Technical-Tip-How-to-use-FortiSwitch-to-authenticate-u...
Best regards,
Markus
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.