Hello community!
I have a very complex scenario to implement, but without much information.
The intended scenario is:
Multiple SSIDs for the Wireless network, however, must use WPA2-Enterprise... however, I do not intend for authentication to be done with user and pass, but rather via the EAP-TLS certificate issued by fortiauthenticator, tied to the local user created.
Performing EAP authentication was already successful, however, now I need to isolate the certificates so that only the certificate authorized for a given SSID can access.
In testing, any certificate is capable of logging into the SSID. How to isolate?
I've already tried to create the local group on Fortigate and indicate the remote group on Fortiauthenticator, but without success.
I've already tried applying the radius attributes, indicating the FortiAP SSID for the created user, but it didn't work.
summary: I intend for each ssid to only allow one certificate issued by fortiauthenticator
Is there any way to apply this scenario?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can create separate RADIUS policies and differentiate based on "RADIUS attribute criteria" to select each SSID and than on "Identity source" select only the interested groups:
You can create separate RADIUS policies and differentiate based on "RADIUS attribute criteria" to select each SSID and than on "Identity source" select only the interested groups:
Tanks for your tip ebilcari!
I have never worked at this level at authenticator. I thought I couldn't have more than one policy, but I went a different route, but following your tip.
I have never worked at this level at authenticator. I thought I couldn't have more than one policy, but I went a different route, but following your tip.
I created several Local CAs for each entity that will use the SSID, so I was able to tie the certificate and indicate the radius attribute indicating the FortiAP SSID.
Below are some screenshots:
PS:
I omitted some information because, despite being a test server, I used some real data to create the certificate
Thanks for the tip!
Its Works
Good catch, thanks for sharing your findings, glad to help!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.