In this recipe, you will configure and demonstrate wired 802.1x EAP-TLS with user authentication.
In the example, you will set up FortiAuthenticator as the Root CA and client certificate issuer.
The example includes an Odyssey supplicant and a 3rd-party switch (EX2200) to confirm cross-vendor interoperability. It also includes dynamic VLAN assignment on the switch as per the FortiAuthenticator RADIUS attributes.
1. Configuring the certificates |
|
| Go to Certificate Management > Certificate Authorities > Local CAs and create a new Root CA. |  |
| Go to Certificate Management > End Entities > Local Services and configure a certificate used for EAP-TLS. |  |
|
Go to RADIUS Service > EAP and set up the EAP configuration. If client certificates were not created by FortiAuthenticator, the 3rd-party server certificate would be uploaded on to FortiAuthenticator as a Trusted CA. In this example, FortiAuthenticator creates the client certificates. |
 |
|
Go to Certificate Management > End Entities > Users and create a client certificate. The CN must match the user sAMAccountName. Export the PKCS#12 file and passphrase protect it. |
 |
|
The client certificate can be pushed out using GPO (Group Policy Object). Otherwise, it can be imported manually. |
|
2. Manually importing the client certificate – Windows 7 |
|
|
Manual import can be completed using MMC as shown. Open Command Prompt and type On the File menu, click Add/Remove Snap In. |
 |
|
Once imported, the certificate should show up under Local Computer and not Current User. Export the FortiAuthenticator Certificate and Import that under Trusted Root Certification Authorities (again under Certificates (Local Computer)). |
 |
3. Configuring the FortiAuthenticator AD Server |
|
|
Go to Authentication > Remote Auth. Servers > LDAP and create a new AD server. Ensure that Username attribute matches the entry in the AD configuration (sAMAccountName). |
 |
| Go to Authentication > User Management > Realms and create a new realm for these users. |  |
4. Configuring the user group |
|
|
Go to Authentication > User Management > User Groups and create a new user group with the RADIUS attributes shown. The group will automatically populate with the Remote Sync Rule configured below. |
 |
5. Configuring remote user sync rules |
|
|
Go to Authentication > User Management > Remote User Sync Rules and configure a new Remote LDAP User Synchronization Rule. |
 |
|
Go to Authentication > User Management > Remote Users and check to see if the sync rule worked. |
 |
6. Configuring the FortiAuthenticator RADIUS client |
|
| Go to Authentication > RADIUS Service > Clients and create a RADIUS client to bring the configuration together on the FortiAuthenticator. |  |
7. Configuring the switch |
|
|
The switch configuration provided below is intended for demonstration only. Your switch configuration is likely to differ significantly. set system services dhcp pool 10.1.2.0/24 address-range low 10.1.2.220 set system services dhcp pool 10.1.2.0/24 address-range high 10.1.2.230 set system services dhcp pool 10.1.2.0/24 domain-name fortiad.net set system services dhcp pool 10.1.2.0/24 name-server 10.1.2.122 set system services dhcp pool 10.1.2.0/24 router 10.1.2.1 set system services dhcp pool 10.1.2.0/24 server-identifier 10.1.2.27 set interfaces ge-0/0/1 unit 0 family ethernet-switching #odyssey machine port, no VLAN assigned, will be allocated dynamically set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members engineering #interface used to communicate with FortiAuthenticator set interfaces me0 unit 0 family inet address 10.1.1.1/24 set interfaces vlan unit 10 family inet address 10.1.2.27/24 set protocols dot1x authenticator authentication-profile-name profile1 set protocols dot1x authenticator interface ge-0/0/1.0 supplicant single #802.1x configuration requiring supplicant set access radius-server 10.1.2.29 secret "$9$kmfzIRSlvLhSLNVYZGk.Pf39" set access profile profile1 authentication-order radius set access profile profile1 radius authentication-server 10.1.2.29 set vlans engineering vlan-id 10 set vlans engineering l3-interface vlan.10 |
|
8. Results |
|
|
In the Odyssey Access Client Manager, click Connect to the network. Once connected, the Status should read open and authenticated. The authentication flow should initiate as soon as the supplicant makes a connection attempt (while connected to the domain). |
|
|
Using 16:10:25.051118 IP (tos 0x0, ttl 64, id 22102, offset 0, flags [none], proto UDP (17), length 169) 10.1.2.27.51296 > 10.1.2.29.1812: [udp sum ok] RADIUS. length: 141 Access-Request (1), id: 0x18, Authenticator: 4c69f617666fcdaadbcdb14700c57551 User-Name Attribute (1), length: 6, Value: kash 0x0000: 6b61 7368 NAS-Port Attribute (5), length: 6, Value: 71 0x0000: 0000 0047 EAP-Message Attribute (79), length: 11, Value: .A 0x0000: 0241 0009 016b 6173 68 Message-Authenticator Attribute (80), length: 18, value: ..C....- .....o.> 0x0000: 8a86 43bf a7d9 8a2d 8cef e0bf 036f 9f3e Acct-Session-Id Attribute (44), length: 24, Value: 802.1x81fb00610008e3c1 0x0000: 384f 322e 3178 3831 6662 3030 3631 3030 0x0010: 3038 6533 6331 NAS-Port-Id Attribute (87), length: 12, Value: ge-0/0/1.0 0x0000: 6765 2d30 2f30 2f31 2e30 Calling-Station-Id Attribute (31), length: 19, Value: 00-22-68-1a-ft-a0 0x0000: 3030 2d32 322d 3638 2d31 612d 6631 2d61 0x0010: 30 Called-Station-Id Attribute (30), length: 19, Value: a8-d0-e5-b0-21-80 0x0000: 6138 2d64 302d 6535 2d62 302d 3231 2d38 0x0010: 30 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f |
|
|
Continuing with 16:10:25.057286 IP (tos 0x0, ttl 64, id 50545, offset 0, flags [none], proto UDP (17), length 108)
10.1.2.29.1812 > 10.1.2.27.51296: [bad udp cksum 0x18a3 -> 0x0722!] RADIUS, length: 80
Access-Challenge (11), id: 0x18, Authenticator: f0a3636e1b2ddf8b76f96239feece6bb
EAP-Message Attribute (79), length: 24, Value: .B
0x0000: 0142 0016 0410 87a4 a938 54dd 43b6 9ff4
0x0010: 7ddc b515 1591
Message-Authenticator Attribute (80), length: 18, Value: ..mu.l..0..o.ht.
0x0000: 0f09 6d75 e76c 87c3 30f3 b76f f368 74e3
State Attribute (24), length: 18, Value: s...s...L@..._K.
0x0000: 73de c494 739c c0lf 4c40 c6ce 815f 4bd5
The next 14 messages are Challenge->Request EAP transactions between the FortiAuthenticator and the Switch |
|
|
Access-Accept message with RADIUS attributes are returned to the Switch: 16:10:25.479480 IP (tos Ox0, ttl 64, id 50552, offset 0, flags [none], proto UDP (17), length 219)
10.1.2.29.1812 > 10.1.2.27.51296: [bad udp cksum 0x1912 -> 0xef88I] RADIUS, length: 191
Access-Accept (2), id: Oxlf, Authenticator: Sb463667865b7dacf8a742aea5424f20
Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
Vendor Attribute: 17, Length: 50, Value: ......3.y.3..T.1z..[m..W. .c. Zv a rpa.z
0x0000: 0000 0137 1134 831d 27be +0af 4aae 7990
0x0010: 33da 0954 b631 7ad7 e15b 6dd4 8557 83cb
0x0020: a83c f4e0 155a 76fd dd61 c7f5 fd0a d8d1
0x0030: 08e8 eb72 7061 b27a
Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
Vendor Attribute: 16, Length: 50, Value: ..^D0b...z..9:e+....]+2X • / WF ..... 4..K...Pt.
0x0000: 0000 0137 1034 8f91 Se44 4f62 9d7f f513
0x0010: 7abb 942a 213a 652b 0fc5 b488 5d2b 3258
0x0020: ce3a ded5 dd2f d757 4698 9a94 b205 34a2
0x0030: ed4b 83bb a250 74f6
EAP-Message Attribute (79), length: 6, Value: .H
0x0000: 0348 0004
Message-Authenticator Attribute (80), length: 18, Value: .".Z.T..X....@.
0x0000: ca22 aasa f354 17bc 58dc ccd7 cf40 7fb4
User-Name Attribute (1), length: 6, Value: kash
0x0000: 6b61 7368
Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] #13
0x0000: 0000 000d
Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802
0x0000: 0000 0006
Tunnel-Private-Group-ID Attribute (81), length: 13, Value: engineering
0x0000: 656e 6769 6e65 6572 696e 67
|
|
|
Post-authentication DHCP transaction is picked up by FortiAuthenticator ( 16:10:25.569855 IP (tos Ox0, ttl 1, id 22153, offset 0, flags [none], proto UDP (17), length 328)
10.1.2.27.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid Ox91fced0e, Flags [Broadcast] (0x8000)
Your-IP 10.1.2.224
Client-Ethernet-Address 00:22:68:1a:f1:a0
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 10.1.2.27
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 10.1.2.1
Domain-Name-Server Option 6, length 4: 10.1.2.122
Domain-Name Option 15, length 11: "fortiad.net"
|
|
|
Go to Logging > Log Access > Logs to verify the device authentication. The Debug Log (at |
 |
|
The Switch CLI shows a successful dot1x session: root# run show dotlx interface ge-0/0/1.0 802.1X Information: Interface Role State MAC address User ge-0/0/1.0 Authenticator Authenticated 00:22:68:1A:F1:A0 kash |
|
|
The Domain Computer interface is dynamically placed into the correct VLAN: root# run show vlans
Name Tag Interfaces
default
ge-0/0/0.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0,
engineering 10
ge-0/0/1.0*, ge-0/0/11.0*
|
|
|
And the domain computer shows as available on the network: root# run show arp interface vlan.10
MAC Address Address Name Interface Flags
00:0c:29:5b:90:68 10.1.2.29 10.1.2.29 vlan.10 none
98:b8:e3:a0:c6:lb 10.1.2.220 10.1.2.220 vlan.10 none
b8:78:2e:38:3e:28 10.1.2.222 10.1.2.222 vlan.10 none
00:22:68:1a:f1:a0 10.1.2.224 10.1.2.224 vlan.10 none
54:e4:3a:d5:16:a0 10.1.2.226 10.1.2.226 vian.l0 none
Total entries: 5
{master:0}[edit]
root# run ping 10.1.2.224
PING 10.1.2.224 (10.1.2.224): 56 data bytes
54 bytes from 10.1.2.224: icmp_seq=0 tt1=128 time=4.651 ms
54 bytes from 10.1.2.224: icmp_seq-1 ttl-128 time-2.385 ms
--- 10.1.2.224 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.385/3.518/4.651/1.133 ms
|
|
The post Wired 802.1x EAP-TLS with user authentication appeared first on Fortinet Cookbook.