Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tubirubs
New Contributor II

Created on ‎04-20-2024 06:32 PM Edited on ‎04-20-2024 06:51 PM

Multiples SSIDs with Radius FortiAuthenticator + EAP-TLS

Hello community!

 

I have a very complex scenario to implement, but without much information.

 

The intended scenario is:

 

Multiple SSIDs for the Wireless network, however, must use WPA2-Enterprise... however, I do not intend for authentication to be done with user and pass, but rather via the EAP-TLS certificate issued by fortiauthenticator, tied to the local user created.

 

Performing EAP authentication was already successful, however, now I need to isolate the certificates so that only the certificate authorized for a given SSID can access.

 

In testing, any certificate is capable of logging into the SSID. How to isolate?
I've already tried to create the local group on Fortigate and indicate the remote group on Fortiauthenticator, but without success.


I've already tried applying the radius attributes, indicating the FortiAP SSID for the created user, but it didn't work.

 

summary: I intend for each ssid to only allow one certificate issued by fortiauthenticator

 

Is there any way to apply this scenario?

 

 

200
0 Kudos
1 Solution
ebilcari
Staff
Staff

Created on ‎04-21-2024 02:30 AM

You can create separate RADIUS policies and differentiate based on "RADIUS attribute criteria" to select each SSID and than on "Identity source" select only the interested groups:

rad-policy.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

151
0 Kudos
3 REPLIES 3
ebilcari
Staff
Staff

Created on ‎04-21-2024 02:30 AM

You can create separate RADIUS policies and differentiate based on "RADIUS attribute criteria" to select each SSID and than on "Identity source" select only the interested groups:

rad-policy.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
152
0 Kudos
tubirubs
New Contributor II
In response to ebilcari

Created on ‎04-21-2024 07:43 AM

Tanks for your tip ebilcari! 

 

I have never worked at this level at authenticator. I thought I couldn't have more than one policy, but I went a different route, but following your tip.

 

I have never worked at this level at authenticator. I thought I couldn't have more than one policy, but I went a different route, but following your tip.

I created several Local CAs for each entity that will use the SSID, so I was able to tie the certificate and indicate the radius attribute indicating the FortiAP SSID.

Below are some screenshots:

 

Capturar.PNG

 

Capturar1.PNG

Capturar3.PNG

Capturar4.PNG

Capturar5.PNG

Capturar6.PNG

 PS:
I omitted some information because, despite being a test server, I used some real data to create the certificate

 

 

Thanks for the tip!

 

Its Works

117
ebilcari
Staff
Staff
In response to tubirubs

Created on ‎04-21-2024 08:37 AM

Good catch, thanks for sharing your findings, glad to help!

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
112
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.