- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WiFi using FortiAuthenticator RADIUS with certificates
Following this link - https://docs.fortinet.com/document/fortiauthenticator/6.0.0/cookbook/812128/creating-a-local-ca-on-f...
I am a little confused, the cookbook suggests you have to create a user certificate? i have over 500 LDAP users, that cant be right can it? it also suggests you create the local users on the FAC? thats a bit pointless, my FAC is connected to AD, so why would I need to create the users again, Im looking for a solution where the users connected to the business WIFI, using their machine certs, not sure why we need user certs, is it another check or something? thanks
Solved! Go to Solution.
- Labels:
-
FortiAuthenticator
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it doesn't have to be that difficult :) the cookbook is a bit old. You have to pay attention also to the CRLs in order to prevent logins from hosts with revoked certificates.
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do the machines already have certificates from a private CA?
If the machines have their certificates deployed you can configure the RADIUS policy, Identity source to check against Trusted CA(s) "Accepts all the valid client certificates signed by one of the trusted CAs." as shown here. This option may not be available if you are running an old firmware version.
If you have found a solution, please like and accept it to make it easily accessible for others.
Created on ‎06-26-2024 01:39 AM Edited on ‎06-26-2024 01:43 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(logged me into this forum on the wrong account!)
The Machines are in AD, they do have a cert from a internal CA yes, I looked this up yesterday with a colleague, I have imported that Root CA to the FAC, which already has a LDAP connection, so, is that it? the machine will present the cert , its trusted by the FAC and so it allows authentication to the SSID? the cookbook makes it a lot more convoluted than this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it doesn't have to be that difficult :) the cookbook is a bit old. You have to pay attention also to the CRLs in order to prevent logins from hosts with revoked certificates.
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can also refer to this section of the guide that it seems updated and cover the necessary steps in detail.
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume this is exactly the same for using User cert? I don't need to add VLAN as its a tunnelled SSID with its own DHCP and VLAN...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you choose to use Certificate bindings, the LDAP configurations and Realm will be different. In case of Trusted CA(s), only the certificate will be checked so same RADIUS policy can be applied:
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure I understand now, what bindings? you said as long as I have the root CA cert on the FAC it will trust what is presented from the user? wether its a machine cert or a user cert?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As shown in the picture above you have two options, if you choose the 2nd option "Trusted CA(s)" and select the private root CA as trusted CA, FAC will allow the authentication (user or machine) without trying to bind it to a LDAP entry.
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah! OK, problem is, I don't have that screen on identity sources, on the policy, I just have the option to pick a realm and nothing there like your screen
