Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Keyrock_IT
New Contributor II

Created on ‎05-02-2024 09:49 AM

WiFi e LAN authentication using certificate with FreeRadius

Hello everyone,

I'm looking for guidance on configuring a network authentication scenario using FortiGate and FortiSwitch devices, along with a FreeRADIUS server. Here's my hardware setup:

  • FortiGate 100F running firmware v7.2.8
  • FortiSwitch 148F running firmware v7.4.2
  • FortiAP 231G running firmware v7.4.0
  • FreeRADIUS server (version 3.0) running in the internal LAN

Authentication Requirements:

  • I need to authenticate devices (both on WiFi and LAN) using certificates only, without relying on user credentials or MAC address filtering.

Questions:

  1. Is it possible to implement certificate-based authentication in this setup for both LAN and WLAN?
  2. What would be the recommended approach to configure this scenario using FortiGate and FreeRADIUS?

Any guidance, tips, or configuration examples would be greatly appreciated.

Thank you in advance for your help!

Labels:
1826
0 Kudos
11 REPLIES 11
ebilcari
Staff
Staff

Created on ‎05-03-2024 01:42 AM

Since you want to use certificates for authentication than the protocol that will be used is EAP-TLS. This is fully supported by Fortinet products. The configuration on the FGT/FAP/FSW should be fairly easy (converting EAP to RADIUS requests) and the complexity will remain on the RADIUS server side, certificate creation and the configurations of the supplicant on the end hosts.

Fortinet offers FortiNAC as RADIUS server and you can refer to the integration guides as an example to get more information regarding the FGT and FortiAPFortiSwitch configurations.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1586
Keyrock_IT
New Contributor II
In response to ebilcari

Created on ‎05-06-2024 02:17 AM

Thank you for your reply.

I've successfully configured FreeRadius for EAP-TLS authentication and have installed the appropriate certificate on my laptop. However, when attempting to configure the RADIUS server on my FortiGate, I noticed that EAP-TLS is not listed as an available authentication method. The options available are CHAP, MS-CHAP, MS-CHAPv2, and PAP (see pic below).

Could this limitation with the available authentication methods on FortiGate be the reason why my EAP-TLS setup is not working as expected? If it is the case, how can I proceed to configure it?

Thank you in advance for your help!Screenshot 2024-05-06 at 11.15.47.png

1511
ebilcari
Staff
Staff
In response to Keyrock_IT

Created on ‎05-06-2024 02:40 AM

The authentication method you are showing here is for NAS - RADIUS server communication and not with the end host authentication method (EAP-TLS). This should not be relevant since you are using certificates to authenticate the hosts and not their credentials like used in PEAP for ex.

This may depend on the server configurations but leaving the Default or PAP in this configuration should be fine.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1505
Keyrock_IT
New Contributor II
In response to ebilcari

Created on ‎05-06-2024 03:16 AM

Thank you for the clarification. I initially thought it might be causing a conflict because when I set MS-CHAPv2 on both the FortiGate and FreeRadius, the authentication works, and I can connect to the WiFi using a username and password. However, I aim to use certificate-based authentication exclusively without the need for username and password input.

Do you have any insights into what might be causing this issue?

1495
0 Kudos
ebilcari
Staff
Staff
In response to Keyrock_IT

Created on ‎05-06-2024 03:42 AM

As mentioned earlier the Fortinet products you are using in this setup are easy to configure. The complexity remains in the PKI infrastructure (certificate management), the configurations on the RADIUS server and the supplicant on the end hosts. You can refer to this FNAC guide page 7 related to RADIUS certificate requirements (EAP and endpoint trust) that you need to upload on the RADIUS server and also the certificate attributes needed on the end host.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1487
Keyrock_IT
New Contributor II
In response to ebilcari

Created on ‎05-15-2024 05:48 AM

I was able to configure it using a certificate for WiFi authentication. Would it be possible to use the same authentication for the switch ports? If so, how can I configure it on the FortiGate?

1320
0 Kudos
ebilcari
Staff
Staff
In response to Keyrock_IT

Created on ‎05-15-2024 05:53 AM

Yes, you can use the same authentication type but the FSW will handle the RADIUS authentication by themselves and will not behave like the APs.

The RADIUS configurations are pushed from FGT to the FSW but the RADIUS requests are originated from the FSW itself. You need to specify the SW IP as individual NAS IP in the RADIUS server and make sure that the traffic is routed and allowed through FGT.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1318
Keyrock_IT
New Contributor II
In response to ebilcari

Created on ‎07-10-2024 10:34 AM

Thanks for your suggestion!

I successfully configured RADIUS authentication for the Wi-Fi network, and clients are now authenticating correctly.

Could you please advise on how to configure RADIUS authentication for wired clients as well?

 

915
0 Kudos
ebilcari
Staff
Staff
In response to Keyrock_IT

Created on ‎07-11-2024 12:48 AM

That's good news. FSW differs from FAP, even though the configuration are done and pushed by the FGT, the RADIUS requests and authentication is handled directly by the switch. Keep in mind to add the switch management IP as a NAS device in the RADIUS server

You have to create a security policy and apply it at all the ports where it's needed:

auth-int.PNG

 

Helpful commands to check the authentication status:

from FGT: # diagnose switch-controller switch-info 802.1X S1x port4

from FSW: # diagnose switch 802-1x status

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
900
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.