Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TheOnlyJames
New Contributor

Created on ‎06-24-2024 02:03 AM

WiFi using FortiAuthenticator RADIUS with certificates

Following this link - https://docs.fortinet.com/document/fortiauthenticator/6.0.0/cookbook/812128/creating-a-local-ca-on-f...

 

I am a little confused, the cookbook suggests you have to create a user certificate? i have over 500 LDAP users, that cant be right can it? it also suggests you create the local users on the FAC? thats a bit pointless, my FAC is connected to AD, so why would I need to create the users again,  Im looking for a solution where the users connected to the business WIFI, using their machine certs, not sure why we need user certs, is it another check or something? thanks

 

Labels:
476
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to The_Nude_Deer

Created on ‎06-26-2024 01:56 AM

Yes, it doesn't have to be that difficult :) the cookbook is a bit old. You have to pay attention also to the CRLs in order to prevent logins from hosts with revoked certificates.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

300
13 REPLIES 13
ebilcari
Staff
Staff
In response to TheOnlyJames

Created on ‎06-26-2024 04:14 AM

This a new option added in later versions of FAC, I guess you are still on the 6.4 firmware. Try to upgrade to the 6.5 firmware branch, the screenshot is from a FAC running 6.5.5.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
81
TheOnlyJames
New Contributor
In response to ebilcari

Created on ‎06-26-2024 04:21 AM

I am on 6.6.0, i created a new Policy and then was able to select cert, so this option, purely looks at the cert and lets the user authenicate, nothing else, whereas the other option does what? its the same thing?

78
0 Kudos
ebilcari
Staff
Staff
In response to TheOnlyJames

Created on ‎06-27-2024 01:12 AM

Like shown also from within the FAC GUI, the bindings has an extra verification step. It will try to match the CN of the certificate to the username of a local/remote user. If that doesn't match the authentication will fail:

bindi2.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
49
The_Nude_Deer
Contributor

Created on ‎06-27-2024 01:28 AM

right! so this is the method I need to use. USER CERT, then checked in LDAP.. so its the 2nd option I need. right? thank you, there just isnt a clear guide for that option! still looking

43
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.