FortiAuthenticator Windows 7 certificates

tommygunn · ‎02-17-2016

I have been banging my head against a wall for days now with this problem. I am doing testing with a view to a roll out, the problem i have is that I want wireless users to authenticate to FAC then to AD. I have a Fortigate linked to FAP, this is then linked to the FAC using radius, which in turn interrogates AD using LDAP. Now Phones and MAC's and other devices can authenticate using AD credentials. Now the problem is that the majority of PC's are Windows 7 devices, which will not authenticate. As far as I can see there is a certificate issue, i have tried importing FAC certificates to the windows machines but with no resolution.

I have been running round in circles trying to resolve this, Please can some shed any light on this, is this a common problem ?

xsilver_FTNT · ‎02-17-2016

Hello tommygunn,

I guess that your issue might be caused by issue in W7 inable to use WPA2.

It need to be manually reconfigured.

See http://docs.fortinet.com/uploaded/files/1045/fortigate-wireless-40-mr3.pdf especially from page 56 "Windows 7 client"

Best regards, Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

tommygunn · ‎02-17-2016

Hi Tomas,

Thanks for the reply I do appreciate it, I wish it was that easy. During the sign on process with Windows devices I get a pop up with a choice of two internal certificates. Both of which don't work. On other non windows devices you just need to accept the certificate pushed down from fortigate, which you accept and connect no problem. But for some reason windows doesn't give you the pop up and then looks internally for a certificate. Driving me insane at the moment. Not sure of its something i have done or some kind of windows certificate issue.

Thanks

Thomas

xsilver_FTNT · ‎02-17-2016

What about to creat local CA on FAC (it's one of designed purposes), use that CA Cert to create WPA (EAP-TLS/PEAP etc) cert + config on FAC + use the same CA to make client/user cert => export that from FAC and import to test workstation Cert store on Windows. Also import there (on workstation) FAC CA cert into trusted root CA certs. Similarly to SSL VPN cert based auth scenario.

Then retest if that user cert is one of the proposed for the user during WiFi bind.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

xsilver_FTNT · ‎02-18-2016

Hi tommygunn,

mentioned process with CA on FAC was meant more for ease of troubleshooting.

It is not mandatory in any way to have root CA built on FAC. Regardless I never build that scenario in lab I believe there should not be any problem having DC as CA, then user certs issued by DC CA as well as PEAP cert for FAC also issued by DC CA.

However if you do not need to use DC as CA, then you can use FAC as CA, or intermediate CA (where it will use CA cert issued by DC CA).

There are certain combination possibilities, for sure.

Best regards, Tomas

PS: thank you for the rating done to my previous update

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Bromont_FTNT · ‎02-17-2016

Have you unchecked "Validate Server Certificate" in PEAP properties?

tommygunn · ‎02-18-2016

Hi Guys,

Yes thanks have unchecked validate certificate on windows machine, and managed to get it working. Spot on Tomas I think your correct, After reading more literature on the FAC, I will have to set up a local CA on the FAC. I'm quite new to the FAC way of doing things and was under the impression that it would trust the AD CA which is installed on the FAC.

Thanks Tomas for your help, much appreciated.