Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kylehouk
New Contributor II

Created on ‎07-12-2023 08:50 AM Edited on ‎07-12-2023 08:58 AM

Azure SAML WiFi Authentication Cert Trust Error

I was following the guide to setup WiFi authentication using Azure and SAML IdP from the Fortinet community here 

 

The authentication does work, but it gives a certificate error when connecting. If you trust the cert the authentication goes through and works. The below error message is seen when using the Fortinet Factory cert.

 

Azure-SAML-Fortinet-Cert (2).png

 

The following error is observed when using a CA cert from Let's Encrypt.

Azure-SAML-Cert-Error.png

 

The intended use is for this network to be used for personal cell phones of company employees. So I do not want employees to have download or trust anything on their devices when connecting to the network.

 

If it is not possible to avoid the cert trust error please let me know. Otherwise below is what I have tried to get it to work.

 

The documentation mentions using a CA certificate and redirecting the auth portal page. However, whenever I redirect the portal it breaks the authentication. I have tired adding the redirection in both the GUI and CLI and various certs, neither works.

 

Based on the error it seems that the cert error is occurring because the authentication request is coming from the internal IP of the subnet and not the FQDN of the cert. However as mentioned anytime I redirect the portal page it breaks the authentication. (Yes, I updated the Azure App and Fortinet URL's to reflect the redirected address, but it still broke the authentication).

 

I am still pretty new to certs and stuff so I am probably missing something and help is appreciated.

 

 

 

1682
5 REPLIES 5
ndumaj
Staff
Staff

Created on ‎07-14-2023 02:44 PM

Hello,

The certificate you are using cannot be verified, i see that you are using the IP instead of FQDN, maybe IP is not added as SAN(Subject Alternative Name).
For unmanaged devices you should use public certificate authorities (for example GlobalSign, Gigicert ... ) to avoid Cert warning.
Please review the following articles:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-TLS-and-the-use-of-Digital-Certificates/ta...
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Fixing-the-error-Certificate-file-is...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-generate-wildcard-CSR/ta-p/195414
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-avoid-certificate-error-message-by-....

BR

- Happy to help, hit like and accept the solution -
1627
0 Kudos
kylehouk
New Contributor II

Created on ‎09-12-2023 08:06 AM

To get the certificate to be seen as valid I had to setup the local DNS server on the Fortigate and enable it on the interface for the network where I want the certificate to be valid.

1500
0 Kudos
OscarDNL
New Contributor

Created on ‎02-27-2024 01:38 PM

Im having same issue, could u please explain more datailed what you did?
pls

480
0 Kudos
kylehouk
New Contributor II
In response to OscarDNL

Created on ‎02-27-2024 01:56 PM

On the Fortigate I created a new recursive DNS service on the interface where I need users to authenticate using SAML. Then I created a new DNS database. I called the DNS Zone "Internal Domains" as the name. For the Domain Name I set it to the same domain as certificate uses.

 

Next I created DNS A record entry pointing to the IP of the firewall on the same vlan as the DNS server I created earlier.

 

For example, if the certificate you were planning to use is saml.example.com on a subnet of 10.0.0.0/24 with the router IP of 10.0.0.1 I would configure the DNS as follows:

 

Create a new DNS database with Domain Name of example.com on the interface that has the 10.0.0.0/24 subnet. I would then create a DNS A record of saml pointing to the IP of 10.0.0.1 Finally on the 10.0.0.0/24 interface set the DNS server to be same as interface IP. This will set the DNS server IP sent to DHCP clients as the Fortigate itself.

Now when you are prompted to do SAML auth the IP address matches the certificate, and it doesn't throw the error.

 

 

478
OscarDNL
New Contributor
In response to kylehouk

Created on ‎02-27-2024 04:05 PM

It worked! thank you so much

467
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.