In this recipe, you will configure and demonstrate wired 802.1x EAP-TLS using computer authentication.
In the example, you will set up FortiAuthenticator as the Root CA and client certificate issuer. The FortiAuthenticator will authenticate user interaction using the domain computer and client certificate (no username or password).
The example includes a native Windows 7 supplicant and a 3rd-party switch (EX2200) to confirm cross-vendor interoperability. It also includes dynamic VLAN assignment on the switch as per the FortiAuthenticator RADIUS attributes.
1. Active Directory prerequisites |
|
|
Key considerations:
|
 |
2. Configuring the certificates |
|
| Go to Certificate Management > Certificate Authorities > Local CAs and create a new Root CA. |  |
| Go to Certificate Management > End Entities > Local Services and configure a certificate used for EAP-TLS. |  |
|
Go to RADIUS Service > EAP and set up the EAP configuration. If client certificates were not created by FortiAuthenticator, the 3rd-party server certificate would be uploaded on to FortiAuthenticator as a Trusted CA. In this example, FortiAuthenticator creates the client certificates. |
 |
|
Go to Certificate Management > End Entities > Users and create a client certificate. The CN must match the full DNS name of the intended computer. Export the PKCS#12 file and passphrase protect it. |
 |
|
The client certificate can be pushed out using GPO (Group Policy Object). Otherwise, it can be imported manually. |
|
3. Manually importing the client certificate – Windows 7 |
|
|
Manual import can be completed using MMC as shown. Open Command Prompt and type On the File menu, click Add/Remove Snap In. |
 |
|
Once imported, the certificate should show up under Local Computer and not Current User. Export the FortiAuthenticator Certificate and Import that under Trusted Root Certification Authorities (again under Certificates (Local Computer)). |
 |
4. Configuring the FortiAuthenticator AD Server |
|
|
Go to Authentication > Remote Auth. Servers > LDAP and create a new AD server. Ensure that Username attribute matches the entry in the AD configuration in Step 1. |
 |
| Go to Authentication > User Management > Realms and create a new realm for these users. |  |
5. Configuring the user group |
|
| Go to Authentication > User Management > User Groups and create a new user group with the RADIUS attributes shown. |  |
6. Configuring remote user sync rules |
|
|
Go to Authentication > User Management > Remote User Sync Rules and configure a new Remote LDAP User Synchronization Rule. |
 |
|
Go to Authentication > User Management > Remote Users and check to see if the sync rule worked. |
 |
7. Configuring the FortiAuthenticator RADIUS client |
|
| Go to Authentication > RADIUS Service > Clients and create a RADIUS client to bring the configuration together on the FortiAuthenticator. |  |
8. Configuring the switch |
|
|
The switch configuration provided below is intended for demonstration only. Your switch configuration is likely to differ significantly. set system services dhcp pool 10.1.2.0/24 address-range low 10.1.2.220 set system services dhcp pool 10.1.2.0/24 address-range high 10.1.2.230 set system services dhcp pool 10.1.2.0/24 domain-name fortiad.net set system services dhcp pool 10.1.2.0/24 name-server 10.1.2.122 set system services dhcp pool 10.1.2.0/24 router 10.1.2.1 set system services dhcp pool 10.1.2.0/24 server-identifier 10.1.2.27 set interfaces ge-0/0/1 unit 0 family ethernet-switching #windows 7 machine port, no VLAN assigned, will be allocated dynamically set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members engineering #interface used to communicate with FortiAuthenticator set interfaces me0 unit 0 family inet address 10.1.1.1/24 set interfaces vlan unit 10 family inet address 10.1.2.27/24 set protocols dot1x authenticator authentication-profile-name profile1 set protocols dot1x authenticator interface ge-0/0/1.0 supplicant single #802.1x configuration requiring supplicant set access radius-server 10.1.2.29 secret "$9$kmfzIRSlvLhSLNVYZGk.Pf39" set access profile profile1 authentication-order radius set access profile profile1 radius authentication-server 10.1.2.29 set vlans engineering vlan-id 10 set vlans engineering l3-interface vlan.10
|
|
9. Results |
|
|
The authentication flow should initiate as soon as the wired computer starts up (while connected to the domain). |
|
|
Using 02:18:48.572998 IP (tos 0x0, ttl 64, id 32483, offset 0, flags [none], proto UDP (17), length 203)
10.1.2.27.60114 > 10.1.2.29.1812: ludo sum okl RADIUS. length: 175
Access-Request (1), id: 0x4d, Authenticator: 27e45f0edbfa7026318d583ccf915776
User-Name Attribute (11. length: 23. Value: host/leno.fortiad.net
0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961
0x0010: 642e 6e65 74
NAS-Port Attribute (5), length: 6, Value: 71
0x0000: 0000 0047
EAP-Message Attribute (79), length: 28, Value: .
0x0000: 0200 001a 0168 6f73 742f 6c65 6e6f 2e66
0x0010: 6f72 7469 6164 2e6e 6574
Message-Authenticator Attribute (80), length: 18, Value: ...0S2 ....... .M
0x0000: b60f 874f 5332 c9a7 e2f5 d90e 8c20 e64d
Acct-Session-Id Attribute (44), length: 24, Value: 802.1x81fa00370003dd64
0x0000: 384f 322e 3178 3831 6661 3030 3337 3030
0x0010: 3033 6464 3634
NAS-Port-Id Attribute (87), length: 12, Value: ge-0/0/1.0
0x0000: 6765 2d30 2f30 2f31 2e30
Calling-Station-Id Attribute (31), length: 19, Value: 00-22-68-1a-ft-a0
0x0000: 3030 2d32 322d 3638 2d31 612d 6631 2d61
0x0010: 30
Called-Station-Id Attribute (30), length: 19, Value: a8-d0-e5-b0-21-80
0x0000: 6138 2d64 302d 6535 2d62 302d 3231 2d38
0x0010: 30
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
0x0000: 0000 000f
|
|
|
Continuing with 02:18:48.578465 IP (tos 0x0, ttl 64, id 29725, offset 0, flags [none], proto UDP (17), length 108)
10.1.2.29.1812 > 10.1.2.27.60114: [bad udp cksum 0x18a3 -> 0x7f96!] RADIUS, length: 80
Access-Challenge (11), id: 0x4d, Authenticator: 8140836b0192a5ef12630d4d049d05e6
EAP-Message Attribute (79), length: 24, Value: ..
0x0000: 0101 0016 0410 bc6b 992d bbfc 141f 3bbl
0x0010: 1908 2978 2030
Message-Authenticator Attribute (80), length: 18, Value: .#...:&%N.z.7...
0x0000: dc23 d299 Of3a 2625 4eed 7a9c 37d9 ef97
State Attribute (24), length: 18, Value: ........ ...m.q.
0x0000: c2lb 819c c2la 85b8 20c3 b2b7 6dla 71d6
|
|
|
Access-Accept message with RADIUS attributes are returned to the Switch: 02:18:48.919099 IP (tos Ox0, ttl 64, id 29732, offset 0, flags [none], proto UDP (17), length 236)
10.1.2.29.1812 > 10.1.2.27.60114: [bad udp cksum 0x1923 -> Oxae5a!] RADIUS, length: 208
Access-Accept (2), id: 0x54, Authenticator: 668c7cbb00d96161c278906918ce2291
Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
Vendor Attribute: 17, Length: 50, Value: .p<.6..A [y)..E)......Y..(..P...Xd@..aB.k.
0x0000: 0000 0137 1134 f270 3cbf 360b 1d41 f5e5
0x0010: c87f e8eb b9e9 955b 7929 0915 4529 fa92
0x0020: 8c02 Ofec 59a0 e528 889e 50b9 f506 5864
0x0030: 4018 ff61 429a 6bb8
Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
Vendor Attribute: 16, Length: 50, Value: ..G......Q...............x.=xA/......i.r..a.%R.^..
0x0000: 0000 0137 1034 ff86 47fc 00f1 99d9 cc51
0x0010: fclf 1ae2 b9e3 00a7 1ec9 baf4 031d fa78
0x0020: 8d3d 7841 2114 0313 a2e8 9e69 dc72 efed
0x0030: 61b2 2552 995e fbf4
EAP-Message Attribute (79), length: 6, Value: ..
0x0000: 0307 0004
Message-Authenticator Attribute (80), length: 18, Value: .8............30
0x0000: 0438 c613 8719 caa2 eaf0 a106 ffb4 3330
User-Name Attribute (1), length: 23, Value: host/leno.fortiad.net
0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961
0x0010: 642e 6e65 74
Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] #13
0x0000: 0000 000d
Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802
0x0000: 0000 0006
Tunnel-Private-Group-ID Attribute (81), length: 13, Value: engineering
0x0000: 656e 6769 6e65 6572 696e 67
|
|
|
Post-authentication DHCP transaction is picked up by FortiAuthenticator ( 02:18:52.384838 IP (tos Ox0, ttl 1, id 32640, offset 0, flags [none], proto UDP (17), length 328)
10.1.2.27.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid Oxf79d54fa, Flags [Broadcast] (0x8000)
Your-IP 10.1.2.224
Client-Ethernet-Address 00:22:68:1a:fl:a0
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 10.1.2.27
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 10.1.2.1
Domain-Name-Server Option 6, length 4: 10.1.2.122
Domain-Name Option 15, length 11: "fortiad.net"
|
|
|
Go to Logging > Log Access > Logs to verify the device authentication. The Debug Log (at |
 |
|
The switch logs show a successful dot1x session: root# run show dotlx interface ge-0/0/1.0 802.1X Information: Interface Role State MAC address User ge-0/0/1.0 Authenticator Authenticated 00:22:68:1A:F1:A0 host/leno.fortiad.net |
|
|
The Domain Computer interface is dynamically placed into the correct VLAN: root# run show vlans
Name Tag Interfaces
default
ge-0/0/0.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0,
engineering 10
ge-0/0/1.0*, ge-0/0/11.0*
|
|
|
And the domain computer shows as available on the network: root# run show arp interface vlan.10
MAC Address Address Name Interface Flags
00:0c:29:5b:90:68 10.1.2.29 10.1.2.29 vlan.10 none
98:b8:e3:a0:c6:lb 10.1.2.220 10.1.2.220 vlan.10 none
b8:78:2e:38:3e:28 10.1.2.222 10.1.2.222 vlan.10 none
00:22:68:1a:f1:a0 10.1.2.224 10.1.2.224 vlan.10 none
54:e4:3a:d5:16:a0 10.1.2.226 10.1.2.226 vian.l0 none
Total entries: 5
{master:0}[edit]
root# run ping 10.1.2.224
PING 10.1.2.224 (10.1.2.224): 56 data bytes
54 bytes from 10.1.2.224: icmp_seq=0 tt1=128 time=4.651 ms
54 bytes from 10.1.2.224: icmp_seq-1 ttl-128 time-2.385 ms
--- 10.1.2.224 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.385/3.518/4.651/1.133 ms
|
|
The post Wired 802.1x EAP-TLS with computer authentication appeared first on Fortinet Cookbook.