Hi, I have been having some major difficulties with EAP-TLS Certificate Auth, I originally posted here, as I thought the FAC was set up incorrectly, but having speaking to TAC, its set up correctly it seems, the issue appears to be between client and the AP, it doesnt get any further,.
The laptop has a client cert, issues by MSOFT AD, I have the Root CA on the FAC, The client has been set up to connect via EAP-TLS on the SSID , The APs broadcast the SSID and its set to WPA2 Enterprise and pointing to my FAC, the packet capture shows nothing hitting the AP, the client can see the SSID, and when you click connect on the laptop it says "waiting to authenticate" the WIFI Event on the Gate shows:
auth-req - AP recieved authentication request frame from client xx.xx.xx.xx.xx.xx
auth-resp - AP sent authentication response frame to client xx.xx.xx.xx.xx.xx
reassoc-req - AP received reassociation request frame from client xx.xx.xx.xx.xx.xx
reassoc-resp - AP sent reassociation response frame to client xx.xx.xx.xx.xx.xx
client-disconnected-by-wtp - Client xx.xx.xx.xx.xx disconnected by WTP
then that's it! , Stupidly I spent all my time on the FAC, when the problem is clearly between client laptop and AP, Wireless and certs are most definitely not my strong point, in fact Im beginning to doubt my abilities completely! but thats another story, but I would love to get this project over the line, I am sure I am missing something so simple!
Followed this to the latter more or less,
https://www.youtube.com/watch?v=wlJaFCqwNBs
and this from page 298
Any insight or help really appreciated before I lose my mind.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Based on your description it seems like the supplicant in the end host is not correctly configured and than AP disassociated it. You need to configure the connection manually from control panel in order to get all the configuration options, like shown here.
The root CA that generated 'EAP Server Certificate' used in FAC need to be present in the end host otherwise the suppliant may refuse to start the negotiation.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.