Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Phuoc_Ngo
New Contributor

Wifi Client certificate enforcement

Hi, We are trying to figure out a way to require a client that connect to wifi AP to have a certificate. How do we go about in getting that implement on the Iphone or Ipad. Any feedback would be greatly appreciate. Thank you Regards, Phuoc Ngo
10 REPLIES 10
Carl_Wallmark
Valued Contributor

Will you be using the builtin certificate in the FortGate, or a Radius server ?

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Phuoc_Ngo
New Contributor

We can use either. We have our own certificate already generate and imported into the Fortigate.
Mike_FTNT
Staff
Staff

>> require a client that connect to wifi AP to have a certificate Do you mean each user should have his or her unique user certificate issued by network admin? If yes, you need set up a RADIUS server and make it support EAP-TLS authentication. Network admin need create Root CA on RADIUS server, and then, based on Root CA, create user certificates for wifi clients one by one . The same CA will be given to all users, and user certificates will be distributed to all users in strict one-to-one mapping manner. When wifi client wants to connect with such WPA Enterprise SSID, he or she must provide both CA and user certificate to authenticate. However, I' m not sure if iPad and iPhone could support EAP-TLS authentication, because iOS is somewhat closed type and user must import certificates at first.
Phuoc_Ngo
New Contributor

In our scenario, we only have certificate hosted on the Fortigate and would like to have the fortigate check for that certificate before allowing access.
Mike_FTNT
Staff
Staff

Please be advised that such FGT-side certificate is not intended to check user' s access privilege . Instead, wifi user can utilize the Root CA to verify if the AP is the genuine one, but NOT a fake (e.g. phishing site). Then the " genuine" AP can verify user' s username and password to authenticate user. So far as I know, iPad and iPhone as wifi client will *always* let user accept AP-side certificate when trying to connect with WPA-Enterprise SSID. (In this case, iPad and iPhone are using PEAP authentication and MS-CHAPv2 inner encrypt, by default.) However, different OS and/or 802.1X software may have different behavior. For example, Ubuntu has integrated WPA Enterprise Authentication and the CA verification is *optional* for user' s choice. That is to say, it is user who can decide whether or not trust the AP.
Phuoc_Ngo
New Contributor

Mike, Thank you so much for your advise and feedback. So there is no way, we can use Fortinet to deny the client connectivity if they are using a difference certificate? Regards, Phuoc Ngo
Mike_FTNT
Staff
Staff

It' d better be mentioned from user' s viewpoint. If user is using a different certificate (CA) that can NOT verify server-side certificate, wifi client can NOT connect to the Access Point at all. No matter where the server certificate exists -- FGT or RADIUS Server, when only is server certificate involved (that is, no user certificate will be verified by server), user himself or herself can decide to verify server certificate (more secure) or just bypass it (more risky).
pcraponi
Contributor II

Hi, You can e-mail yourself the SSL certificate. Then retrieved it on your iPad/iPhone and open the certificate file. iPad will ask if you want to install it. Check it to install SSL Certificate... Apple have some tools to do this more easy to deploy: See here: http://dombarnes.com/2008/07/howto-install-wifi-certificates-on-your-iphone/ Look for " iPhone Configuration Utility" on internet... Regards, Paulo Raponi

Regards, Paulo Raponi

Regards, Paulo Raponi
Mike_FTNT
Staff
Staff

Hi Paulo . That' s helpful. Thanks! Regards, Mike
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors