Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tubirubs
New Contributor II

Multiples SSIDs with Radius FortiAuthenticator + EAP-TLS

Hello community!

 

I have a very complex scenario to implement, but without much information.

 

The intended scenario is:

 

Multiple SSIDs for the Wireless network, however, must use WPA2-Enterprise... however, I do not intend for authentication to be done with user and pass, but rather via the EAP-TLS certificate issued by fortiauthenticator, tied to the local user created.

 

Performing EAP authentication was already successful, however, now I need to isolate the certificates so that only the certificate authorized for a given SSID can access.

 

In testing, any certificate is capable of logging into the SSID. How to isolate?
I've already tried to create the local group on Fortigate and indicate the remote group on Fortiauthenticator, but without success.


I've already tried applying the radius attributes, indicating the FortiAP SSID for the created user, but it didn't work.

 

summary: I intend for each ssid to only allow one certificate issued by fortiauthenticator

 

Is there any way to apply this scenario?

 

 

1 Solution
ebilcari
Staff
Staff

You can create separate RADIUS policies and differentiate based on "RADIUS attribute criteria" to select each SSID and than on "Identity source" select only the interested groups:

rad-policy.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

3 REPLIES 3
ebilcari
Staff
Staff

You can create separate RADIUS policies and differentiate based on "RADIUS attribute criteria" to select each SSID and than on "Identity source" select only the interested groups:

rad-policy.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
tubirubs
New Contributor II

Tanks for your tip ebilcari! 

 

I have never worked at this level at authenticator. I thought I couldn't have more than one policy, but I went a different route, but following your tip.

 

I have never worked at this level at authenticator. I thought I couldn't have more than one policy, but I went a different route, but following your tip.

I created several Local CAs for each entity that will use the SSID, so I was able to tie the certificate and indicate the radius attribute indicating the FortiAP SSID.

Below are some screenshots:

 

Capturar.PNG

 

Capturar1.PNG

Capturar3.PNG

Capturar4.PNG

Capturar5.PNG

Capturar6.PNG

 PS:
I omitted some information because, despite being a test server, I used some real data to create the certificate

 

 

Thanks for the tip!

 

Its Works

ebilcari

Good catch, thanks for sharing your findings, glad to help!

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors