Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TheOnlyJames
New Contributor III

Created on ‎06-24-2024 02:03 AM

WiFi using FortiAuthenticator RADIUS with certificates

Following this link - https://docs.fortinet.com/document/fortiauthenticator/6.0.0/cookbook/812128/creating-a-local-ca-on-f...

 

I am a little confused, the cookbook suggests you have to create a user certificate? i have over 500 LDAP users, that cant be right can it? it also suggests you create the local users on the FAC? thats a bit pointless, my FAC is connected to AD, so why would I need to create the users again,  Im looking for a solution where the users connected to the business WIFI, using their machine certs, not sure why we need user certs, is it another check or something? thanks

 

Labels:
2168
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to The_Nude_Deer

Created on ‎06-26-2024 01:56 AM

Yes, it doesn't have to be that difficult :) the cookbook is a bit old. You have to pay attention also to the CRLs in order to prevent logins from hosts with revoked certificates.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

1991
15 REPLIES 15
ebilcari
Staff
Staff
In response to TheOnlyJames

Created on ‎06-26-2024 04:14 AM

This a new option added in later versions of FAC, I guess you are still on the 6.4 firmware. Try to upgrade to the 6.5 firmware branch, the screenshot is from a FAC running 6.5.5.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
624
TheOnlyJames
New Contributor III
In response to ebilcari

Created on ‎06-26-2024 04:21 AM

I am on 6.6.0, i created a new Policy and then was able to select cert, so this option, purely looks at the cert and lets the user authenicate, nothing else, whereas the other option does what? its the same thing?

621
0 Kudos
ebilcari
Staff
Staff
In response to TheOnlyJames

Created on ‎06-27-2024 01:12 AM

Like shown also from within the FAC GUI, the bindings has an extra verification step. It will try to match the CN of the certificate to the username of a local/remote user. If that doesn't match the authentication will fail:

bindi2.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
592
TheOnlyJames
New Contributor III
In response to ebilcari

Created on ‎08-15-2024 04:14 AM

Hi this isnt working the way I expected, may I clarify something?

Radius Policy:

Added the Fortigates as radius clients 

Radius Attribute - Added the SSID that users will connect to for EAP-TLS 

Authentication type - Client Certificates (EAP-TLS)

Identity Sources - this was set to trusted CAs, which is not right, as it just checks the cert, I need it to check AD as well, so I have changed this to Certificate bindings and have selected the AD group "ALLOWED EAP-TLS USERS" on the filter, this is how it should be yes?

 

On the Realm I am using an LDAP server, is this all I need? many thanks

 

 

429
0 Kudos
The_Nude_Deer
Contributor

Created on ‎06-27-2024 01:28 AM

right! so this is the method I need to use. USER CERT, then checked in LDAP.. so its the 2nd option I need. right? thank you, there just isnt a clear guide for that option! still looking

586
0 Kudos
The_Nude_Deer
Contributor

Created on ‎10-21-2024 09:37 AM

Has anyone done this at all? it just isn't even close to working, despite configuring everything from the cook books and discussions here

313
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.