Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Keyrock_IT
New Contributor II

WiFi e LAN authentication using certificate with FreeRadius

Hello everyone,

I'm looking for guidance on configuring a network authentication scenario using FortiGate and FortiSwitch devices, along with a FreeRADIUS server. Here's my hardware setup:

  • FortiGate 100F running firmware v7.2.8
  • FortiSwitch 148F running firmware v7.4.2
  • FortiAP 231G running firmware v7.4.0
  • FreeRADIUS server (version 3.0) running in the internal LAN

Authentication Requirements:

  • I need to authenticate devices (both on WiFi and LAN) using certificates only, without relying on user credentials or MAC address filtering.

Questions:

  1. Is it possible to implement certificate-based authentication in this setup for both LAN and WLAN?
  2. What would be the recommended approach to configure this scenario using FortiGate and FreeRADIUS?

Any guidance, tips, or configuration examples would be greatly appreciated.

Thank you in advance for your help!

9 REPLIES 9
ebilcari
Staff
Staff

Since you want to use certificates for authentication than the protocol that will be used is EAP-TLS. This is fully supported by Fortinet products. The configuration on the FGT/FAP/FSW should be fairly easy (converting EAP to RADIUS requests) and the complexity will remain on the RADIUS server side, certificate creation and the configurations of the supplicant on the end hosts.

Fortinet offers FortiNAC as RADIUS server and you can refer to the integration guides as an example to get more information regarding the FGT and FortiAPFortiSwitch configurations.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Keyrock_IT
New Contributor II

Thank you for your reply.

I've successfully configured FreeRadius for EAP-TLS authentication and have installed the appropriate certificate on my laptop. However, when attempting to configure the RADIUS server on my FortiGate, I noticed that EAP-TLS is not listed as an available authentication method. The options available are CHAP, MS-CHAP, MS-CHAPv2, and PAP (see pic below).

Could this limitation with the available authentication methods on FortiGate be the reason why my EAP-TLS setup is not working as expected? If it is the case, how can I proceed to configure it?

Thank you in advance for your help!Screenshot 2024-05-06 at 11.15.47.png

ebilcari

The authentication method you are showing here is for NAS - RADIUS server communication and not with the end host authentication method (EAP-TLS). This should not be relevant since you are using certificates to authenticate the hosts and not their credentials like used in PEAP for ex.

This may depend on the server configurations but leaving the Default or PAP in this configuration should be fine.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Keyrock_IT
New Contributor II

Thank you for the clarification. I initially thought it might be causing a conflict because when I set MS-CHAPv2 on both the FortiGate and FreeRadius, the authentication works, and I can connect to the WiFi using a username and password. However, I aim to use certificate-based authentication exclusively without the need for username and password input.

Do you have any insights into what might be causing this issue?

ebilcari

As mentioned earlier the Fortinet products you are using in this setup are easy to configure. The complexity remains in the PKI infrastructure (certificate management), the configurations on the RADIUS server and the supplicant on the end hosts. You can refer to this FNAC guide page 7 related to RADIUS certificate requirements (EAP and endpoint trust) that you need to upload on the RADIUS server and also the certificate attributes needed on the end host.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Keyrock_IT
New Contributor II

I was able to configure it using a certificate for WiFi authentication. Would it be possible to use the same authentication for the switch ports? If so, how can I configure it on the FortiGate?

ebilcari

Yes, you can use the same authentication type but the FSW will handle the RADIUS authentication by themselves and will not behave like the APs.

The RADIUS configurations are pushed from FGT to the FSW but the RADIUS requests are originated from the FSW itself. You need to specify the SW IP as individual NAS IP in the RADIUS server and make sure that the traffic is routed and allowed through FGT.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
hbac
Staff
Staff

Hi @Keyrock_IT,

 

It is possible. You can configure FortiGate to send authentication requests the the RADIUS server. Please refer to this article: https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-Authenticate-to-FortiAP-with-certi...

 

Regards, 

Keyrock_IT
New Contributor II

Thank you for sharing the procedure.

I took a look at the guide, but it appears to reference RADIUS configuration on a Windows server machine. Currently I am using FreeRadius on a Linux machine.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors