Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
barisben
New Contributor

Created on ‎06-17-2025 04:15 AM

FortiNAC-F Dot1x Validate User's Certificate

Hello,

 

I will generate CSR, create CA certificate and import it to the FortiNAC-F. After that, I will distribute it to clients. The clients connecting with dot1x and I want to check if the client joined to the domain then it can connect to the network. I added "User-Name=DomainName\*" attribute but I want to add certificate attribute for checking if its joined. How can I do that?

 

 

Screenshot_2.png

 

Labels:
419
0 Kudos
10 REPLIES 10
ebilcari
Staff
Staff

Created on ‎06-18-2025 02:51 AM

To easy find the available attributes that can be used in the UHP, you can refer to the 'Endpoint Fingerprints' that are created with the source 'RADIUS Auth Request' as shown below:

 

endpoint fingerprints -RADIUS attributes.PNG

 

A better approach is to allow all the user to authenticate and than use the Persistent Agent to isolate the hosts that are not compliant. This offers more granularity and can be configured to check different conditions in the end hosts. The domain check can be added as a built in custom scan:

 

Custom Scan.PNG

 

Some details can be found in these articles:

Technical Tip: A simple network example of deploying Persistent Agent in FortiNAC

Technical Tip: Monitor Custom scans to ensure a quicker response to host compliance

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
321
barisben
New Contributor
In response to ebilcari

Created on ‎06-18-2025 03:18 AM

I forgot to mention. The company doesn't want to use agent, so I have to do this verification this way. Normally, when a user tries to connect to the network in this way, it asks whether they want to trust the certificate once on the first attempt, and then the connection can be established. However, since the agent will not be used and we don't want anyone who hasn't imported this certificate to be able to connect to the network, we want to ensure that if someone without the certificate tries to connect, they are not asked whether they want to trust the certificate, and therefore cannot connect. For these reasons, I want to check this using an attribute here.

313
0 Kudos
ebilcari
Staff
Staff
In response to barisben

Created on ‎06-18-2025 05:33 AM

Based on your description, I think you are referring to EAP-PEAP, in this case only the server certificate is verified by the client/supplicant and it's up to the supplicant if it chooses to communicate with the RADIUS server. In this case there isn't any RADIUS attribute that includes any details related to the certificate.

This will work only if EAP-TLS is used, that has mutual certificate verifications and each client will send its own certificate and it can be uses as a RADIUS attribute.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
299
barisben
New Contributor
In response to ebilcari

Created on ‎06-18-2025 11:54 PM

How can I configure TLS for authentication? Or if am I right, If I add an attribute that provide if EAP type is TLS (I can find an attribute for this, I want this because if someone try to connect with PEAP they will accept certificate and can connect to the network) and change all user's adapter settings as needed for TLS. Is it okay if I do these?

279
0 Kudos
barisben
New Contributor
In response to barisben

Created on ‎06-19-2025 12:39 AM

Or just do I need to uncheck the PEAP from supported EAP types?

266
0 Kudos
ebilcari
Staff
Staff
In response to barisben

Created on ‎06-19-2025 01:22 AM

Yes, If you are not expecting normal hosts to authenticate via PEAP than leave only the EAP-TLS enabled in the RADIUS virtual server. FortiNAC allows to create multiple RADIUS servers, in case PEAP will need to be used for another network device.

Keep in mind that to implement EAP-TLS, you will require a PKI solution to enroll certificates in the end hosts.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
251
barisben
New Contributor
In response to ebilcari

Created on ‎06-19-2025 07:43 AM

I imported the certificate to "Server Certificates" as "Local RADIUS Server (EAP) [radius]" and imported to "Trusted Certificates" as "RADIUS Endpoint Trust [radius]". After that we imported the certificate to the end hosts, changed wireless adapter settings like; 

 

Screenshot_6.png

Screenshot_7.pngScreenshot_8.png

 

But the end user getting this error.

 

Screenshot_5.png

232
0 Kudos
ebilcari
Staff
Staff
In response to barisben

Created on ‎06-20-2025 06:29 AM

As mentioned in the previous reply, you will need a PKI solution to enroll certificates (user, computer or both) in the end hosts in order to have EAP-TLS authentication. Usually Microsoft CA is used, that has enrollment templates which automate the process of generating and renewing certificates in the PCs that are joined to the domain.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
189
barisben
New Contributor
In response to ebilcari

Created on ‎06-20-2025 07:04 AM

As I said we already did this but the end users getting that error although certificate is included in the certificates.

180
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.