Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TheOnlyJames
New Contributor III

Created on ‎06-24-2024 02:03 AM

WiFi using FortiAuthenticator RADIUS with certificates

Following this link - https://docs.fortinet.com/document/fortiauthenticator/6.0.0/cookbook/812128/creating-a-local-ca-on-f...

 

I am a little confused, the cookbook suggests you have to create a user certificate? i have over 500 LDAP users, that cant be right can it? it also suggests you create the local users on the FAC? thats a bit pointless, my FAC is connected to AD, so why would I need to create the users again,  Im looking for a solution where the users connected to the business WIFI, using their machine certs, not sure why we need user certs, is it another check or something? thanks

 

Labels:
2147
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to The_Nude_Deer

Created on ‎06-26-2024 01:56 AM

Yes, it doesn't have to be that difficult :) the cookbook is a bit old. You have to pay attention also to the CRLs in order to prevent logins from hosts with revoked certificates.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

1970
15 REPLIES 15
ebilcari
Staff
Staff

Created on ‎06-26-2024 01:26 AM

Do the machines already have certificates from a private CA?

If the machines have their certificates deployed you can configure the RADIUS policy, Identity source to check against Trusted CA(s) "Accepts all the valid client certificates signed by one of the trusted CAs." as shown here. This option may not be available if you are running an old firmware version.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1357
The_Nude_Deer
Contributor
In response to ebilcari

Created on ‎06-26-2024 01:39 AM Edited on ‎06-26-2024 01:43 AM

(logged me into this forum on the wrong account!)

The Machines are in AD, they do have a cert from a internal CA yes, I looked this up yesterday with a colleague, I have imported that Root CA to the FAC, which already has a LDAP connection, so, is that it? the machine will present the cert , its trusted by the FAC and so it allows authentication to the SSID? the cookbook makes it a lot more convoluted than this?

1350
ebilcari
Staff
Staff
In response to The_Nude_Deer

Created on ‎06-26-2024 01:56 AM

Yes, it doesn't have to be that difficult :) the cookbook is a bit old. You have to pay attention also to the CRLs in order to prevent logins from hosts with revoked certificates.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1971
ebilcari
Staff
Staff
In response to The_Nude_Deer

Created on ‎06-26-2024 01:59 AM

You can also refer to this section of the guide that it seems updated and cover the necessary steps in detail.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1333
TheOnlyJames
New Contributor III
In response to ebilcari

Created on ‎06-26-2024 02:12 AM

I assume this is exactly the same for using User cert? I don't need to add VLAN as its a tunnelled SSID with its own DHCP and VLAN...

1328
0 Kudos
ebilcari
Staff
Staff
In response to TheOnlyJames

Created on ‎06-26-2024 02:41 AM

If you choose to use Certificate bindings, the LDAP configurations and Realm will be different. In case of Trusted CA(s), only the certificate will be checked so same RADIUS policy can be applied:

bindings.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1323
TheOnlyJames
New Contributor III
In response to ebilcari

Created on ‎06-26-2024 02:51 AM

Not sure I understand now, what bindings? you said as long as I have the root CA cert on the FAC it will trust what is presented from the user? wether its a machine cert or a user cert?

1319
0 Kudos
ebilcari
Staff
Staff
In response to TheOnlyJames

Created on ‎06-26-2024 03:04 AM

As shown in the picture above you have two options, if you choose the 2nd option "Trusted CA(s)" and select the private root CA as trusted CA, FAC will allow the authentication (user or machine) without trying to bind it to a LDAP entry.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1315
TheOnlyJames
New Contributor III
In response to ebilcari

Created on ‎06-26-2024 03:43 AM

Ah! OK, problem is, I don't have that screen on identity sources, on the policy, I just have the option to pick a realm and nothing there like your screen

1294
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.