Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
achraf_harkati
New Contributor

Created on ‎11-29-2017 02:08 AM

Fortiauthenticator : SCEP Issue

Hi All,

 

I'm wondering if Anyone has used FortiAuthenticator to perform BYOD ?

I'm testing FAC 5.1.2 in a lab envirement to authenticate WiFi users using EAP-TLS, the FAC has a CA certificate configured (signed by a Win2016 root CA). And I'm stuck at getting devices self-enrolled to obtain a certificate that they can use for EAP-TLS.

I've enabled Device Self-enrollment using the CA Certificate Template (SCEP request is configured using Wildcard).

At the moment, I'm unable to enroll a client device on the url : https://FAC-IP/cert/scep . I'm getting the following error on the Browser : "operation" parameter is required

 

I've also tried http (enabled http on the Interface) instead of https and keep getting the same error.

 

Has anyone faced the same problem before ?

Has anyone succefully got device self-enrollment working on FAC using SCEP ?

Do FAC provide an onboarding portal similar to other products such as Aruba Clearpass ?

 

Your help will be very much appreciated.

 

Achraf.

 

 

 

 

5964
0 Kudos
6 REPLIES 6
xsilver_FTNT
Staff
Staff

Created on ‎12-01-2017 01:46 AM

Hi,

 

"At the moment, I'm unable to enroll a client device on the url : https://FAC-IP/cert/scep . I'm getting the following error on the Browser : "operation" parameter is required"

 

That's because the URL is not intended to be used for human interaction and manual enrollment.

It is for SCEP enrollment (SCEP, PKCS packed CSR [Certificate Signing Request], is expected as input), therefore you are getting that error as you haven't sent your GET with appropriate data.

If you do, for example, new cert generation via CSR and choose SCEP as signing method from FGT, then it will send PKCS encrypted data to FAC via this URL (you have to specify in FGT).

Then FAC will check CSR against SCER Enrolment Requests rules and process accordingly (auto enroll/wait for admin enrollment/reject basically).

 

Kind regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC L3 Escalations engineer

2797
0 Kudos
achraf_harkati
New Contributor
In response to xsilver_FTNT

Created on ‎12-01-2017 02:48 AM

Thanks Tomas for the Clarifications.

I confirm FGT can make SCEP requests using that url and works fine since a CSR is included with the request.

My goal is to have this certificate installed on a User laptop and use it for EAP-TLS authentication. When I create a user certificate and install it manually on a user laptop everthing (EAP-TLS auth) works fine as well.

Now do FAC provide a protal that I can use to have users go to and make a certificate request that they can use for EAP-TLS ?

If yes, do you have the URL ?

If not, what is the purpose of the claimed "Device Self-Registration" ? All Fortinet documentation outlines the steps to configure "Device Self-Registration" but does not go further and explain how we can take advantage of this feature from a user perspective? Note that the FAC documentation explains very well the  Guest "User Self-Registration" steps.

Bottomline, can we do BYOD Device Onborading like othe vendors do ?

 

Thanks again for your help.

Regards.

 

Achraf.

 

 

2797
0 Kudos
achraf_harkati
New Contributor
In response to xsilver_FTNT

Created on ‎12-01-2017 02:51 AM

Thanks Tomas for the Clarifications.

I confirm FGT can make SCEP requests using that url and works fine since a CSR is included with the request.

My goal is to have this certificate installed on a User laptop and use it for EAP-TLS authentication. When I create a user certificate and install it manually on a user laptop everthing (EAP-TLS auth) works fine as well.

Now do FAC provide a protal that I can use to have users go to and make a certificate request that they can use for EAP-TLS ?

If yes, do you have the URL ?

If not, what is the purpose of the claimed "Device Self-Registration" ? All Fortinet documentation outlines the steps to configure "Device Self-Registration" but does not go further and explain how we can take advantage of this feature from a user perspective? Note that the FAC documentation explains very well the  Guest "User Self-Registration" steps.

Bottomline, can we do BYOD Device Onborading like othe vendors do ?

 

Thanks again for your help.

Regards.

 

Achraf.

2796
0 Kudos
mikebutash
New Contributor
In response to achraf_harkati

Created on ‎09-12-2018 10:52 PM

I am interested in the answer to this as well, if there was one.  I'm working with Authenticator for a customer right now as well as a POC, and would like to see if this works nicely with various other vendor kit/software.  SCEP with standard devices like routers/firewalls, any scep client basically (outside authenticator with human interaction) is ideal.

-mb
2796
0 Kudos
tedauction
New Contributor III

Created on ‎06-17-2019 05:04 PM

I am also looking for an answer on this.

Specifically has anyone got FAC SCEP working with Google MDM ?

2796
0 Kudos
vraev
Staff
Staff

Created on ‎04-19-2023 03:04 AM

Hi all,
There is an article about this topic:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Enabling-the-self-service-portal-...

V.R.
737
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.