Hello everyone,
I'm looking for guidance on configuring a network authentication scenario using FortiGate and FortiSwitch devices, along with a FreeRADIUS server. Here's my hardware setup:
Authentication Requirements:
Questions:
Any guidance, tips, or configuration examples would be greatly appreciated.
Thank you in advance for your help!
Since you want to use certificates for authentication than the protocol that will be used is EAP-TLS. This is fully supported by Fortinet products. The configuration on the FGT/FAP/FSW should be fairly easy (converting EAP to RADIUS requests) and the complexity will remain on the RADIUS server side, certificate creation and the configurations of the supplicant on the end hosts.
Fortinet offers FortiNAC as RADIUS server and you can refer to the integration guides as an example to get more information regarding the FGT and FortiAP, FortiSwitch configurations.
Thank you for your reply.
I've successfully configured FreeRadius for EAP-TLS authentication and have installed the appropriate certificate on my laptop. However, when attempting to configure the RADIUS server on my FortiGate, I noticed that EAP-TLS is not listed as an available authentication method. The options available are CHAP, MS-CHAP, MS-CHAPv2, and PAP (see pic below).
Could this limitation with the available authentication methods on FortiGate be the reason why my EAP-TLS setup is not working as expected? If it is the case, how can I proceed to configure it?
Thank you in advance for your help!
The authentication method you are showing here is for NAS - RADIUS server communication and not with the end host authentication method (EAP-TLS). This should not be relevant since you are using certificates to authenticate the hosts and not their credentials like used in PEAP for ex.
This may depend on the server configurations but leaving the Default or PAP in this configuration should be fine.
Thank you for the clarification. I initially thought it might be causing a conflict because when I set MS-CHAPv2 on both the FortiGate and FreeRadius, the authentication works, and I can connect to the WiFi using a username and password. However, I aim to use certificate-based authentication exclusively without the need for username and password input.
Do you have any insights into what might be causing this issue?
As mentioned earlier the Fortinet products you are using in this setup are easy to configure. The complexity remains in the PKI infrastructure (certificate management), the configurations on the RADIUS server and the supplicant on the end hosts. You can refer to this FNAC guide page 7 related to RADIUS certificate requirements (EAP and endpoint trust) that you need to upload on the RADIUS server and also the certificate attributes needed on the end host.
I was able to configure it using a certificate for WiFi authentication. Would it be possible to use the same authentication for the switch ports? If so, how can I configure it on the FortiGate?
Yes, you can use the same authentication type but the FSW will handle the RADIUS authentication by themselves and will not behave like the APs.
The RADIUS configurations are pushed from FGT to the FSW but the RADIUS requests are originated from the FSW itself. You need to specify the SW IP as individual NAS IP in the RADIUS server and make sure that the traffic is routed and allowed through FGT.
Thanks for your suggestion!
I successfully configured RADIUS authentication for the Wi-Fi network, and clients are now authenticating correctly.
Could you please advise on how to configure RADIUS authentication for wired clients as well?
That's good news. FSW differs from FAP, even though the configuration are done and pushed by the FGT, the RADIUS requests and authentication is handled directly by the switch. Keep in mind to add the switch management IP as a NAS device in the RADIUS server
You have to create a security policy and apply it at all the ports where it's needed:
Helpful commands to check the authentication status:
from FGT: # diagnose switch-controller switch-info 802.1X S1x port4
from FSW: # diagnose switch 802-1x status
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.