In this recipe, you will configure and demonstrate wireless 802.1x EAP-TLS with computer authentication.
In the example, you will set up FortiAuthenticator as the Root CA and client certificate issuer. The FortiAuthenticator will authenticate without user interaction using the domain computer and client certificate (no username or password).
The example includes an Intel PROSet supplicant as well as a dynamically assigned group on a FortiWiFi using RADIUS attributes.
1. Active Directory prerequisites |
|
|
Key considerations:
|
 |
2. Configuring the certificates |
|
| Go to Certificate Management > Certificate Authorities > Local CAs and create a new Root CA. |  |
| Go to Certificate Management > End Entities > Local Services and configure a certificate used for EAP-TLS. |  |
|
Go to RADIUS Service > EAP and set up the EAP configuration. If client certificates were not created by FortiAuthenticator, the 3rd-party server certificate would be uploaded on to FortiAuthenticator as a Trusted CA. In this example, FortiAuthenticator creates the client certificates. |
 |
|
Go to Certificate Management > End Entities > Users and create a client certificate. The CN must match the full DNS name of the intended computer. Export the PKCS#12 file and passphrase protect it. |
 |
|
The client certificate can be pushed out using GPO (Group Policy Object). Otherwise, it can be imported manually. |
|
3. Manually importing the client certificate – Windows 7 |
|
|
Manual import can be completed using MMC as shown. Open Command Prompt and type On the File menu, click Add/Remove Snap In. |
 |
|
Once imported, the certificate should show up under Local Computer and not Current User. Export the FortiAuthenticator Certificate and Import that under Trusted Root Certification Authorities (again under Certificates (Local Computer)). |
 |
4. Configuring the Intel PROSet Supplicant (Windows 7) |
|
|
The supplicant will automatically select the certificate associated with the computer, based on the configuration shown. Under General Settings, set Operating Mode to Network [Infrastructure] – Connect to WiFi networks and/or the Internet. |
 |
|
Under Security Settings, be sure to enable Use the certificate issued to this computer. With this configuration, no user interaction is required for 802.1x EAP-TLS, on startup or attempting to connect to the WiFi, the authentication and authorization process will be transparent to the user. |
 |
5. Configuring the FortiAuthenticator AD Server |
|
|
Go to Authentication > Remote Auth. Servers > LDAP and create a new AD server. Ensure that Username attribute matches the entry in the AD configuration in Step 1. |
 |
| Go to Authentication > User Management > Realms and create a new realm for these users. |  |
6. Configuring the user group |
|
| Go to Authentication > User Management > User Groups and create a new user group with the RADIUS attributes shown. |  |
7. Configuring remote user sync rules |
|
|
Go to Authentication > User Management > Remote User Sync Rules and configure a new Remote LDAP User Synchronization Rule. |
 |
|
Go to Authentication > User Management > Remote Users and check to see if the sync rule worked. |
 |
8. Configuring the FortiAuthenticator RADIUS client |
|
| Go to Authentication > RADIUS Service > Clients and create a RADIUS client to bring the configuration together on the FortiAuthenticator. |  |
9. Configuring the FortiWiFi |
|
| Go to User & Device > Authentication > RADIUS Servers and set the FortiAuthenticator as the RADIUS server for the FortiWiFi. |  |
| Go to WiFi & Switch Controller > WiFi Network > SSID and configure the WiFi SSID interface. |  |
| Go to System > Network > Interfaces and configure a software switch combining the physical and WiFi interfaces. |  |
10. Results |
|
|
The authentication flow should initiate as soon as the wired computer starts up (while connected to the domain). |
|
|
Using 01:09:34.674298 IP (tos Ox0, ttl 64, id 40954, offset 0, flags [none], proto UDP (17), length 212) 10.1.2.27.1025 > 10.1.2.29.1812: [udp sum ok] RADIUS, length: 184 Access-Request (1), id: 0x76, Authenticator: 4b859401ddb6c0fb95261e99fc8ef66a User-Name Attribute (1), length: 23, Value: host/leno.fortiad.net 0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961 0x0010: 642e 6e65 74 NAS-IP-Address Attribute (4), length: 6, Value: 0.0.0.0 0x0000: 0000 0000 NAS-Port Attribute (5), length: 6, Value: 0 0x0000: 0000 0000 Called-Station-Id Attribute (30), length: 28, Value: 88-DC-96-27-72-68:fortinet 0x0000: 3838 2d44 432d 3936 2d32 372d 3732 2d36 0x0010: 423a 666f 7274 696e 6574 Calling-Station-Id Attribute (31), length: 19, Value: 6C-88-14-C6-3D-58 0x0000: 3643 2d38 382d 3134 2d43 362d 3344 2d35 0x0010: 38 Framed-MTU Attribute (12), length: 6, Value: 1400 0x0000: 0000 0578 NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11 0x0000: 0000 0013 Connect-Info Attribute (77), length: 24, Value: CONNECT 11Mbps 802.11b 0x0000: 434f 4e4e 4543 5420 3131 4d62 7073 2038 0x0010: 3032 2e31 3162 |
|
|
Continuing with 01:09:34.679881 IP (tos Ox0, ttl 64, id 58896, offset 0, flags [none], proto UDP (17), length 108)
10.1.2.29.1812 > 10.1.2.27.1025: [bad udp cksum 0xl8a3 -> 0xbe6al) RADIUS, length: 80
Access-Challenge (11), id: 0x76, Authenticator: a4c016a41e6a0f46c17da49ff813bd6e
EAP-Message Attribute (79), length: 24, Value: ..
0x0000: 0101 0016 0410 f23e 13dd 795e 18fa SddS
0x0010: 3e83 cb34 a99c
Message-Authenticator Attribute (80), length: 18, Value:
0x0000: eac9 2509 cbec 6895 804a deac 5de7 d6f8
State Attribute (24), length: 18, value: *...* .......
0x0000: 2af7 lbfd 2af6 lfb9 8db9 f1f8 20ad 9cd4
The next 14 messages are Challenge->Request EAP transactions between the FortiAuthenticator and the FortiWiFi. |
|
|
Access-Accept message with RADIUS attributes are returned to the Switch: 01:09:36.517763 IP (tos Ox0, ttl 64, id 58903, offset 0, flags (none), proto UDP (17), length 225)
10.1.2.29.1812 > 10.1.2.27.1025: (bad udp cksum 0x1918 0x1f60!) RADIUS, length: 197
Access-Accept (2), id: Ox7d, Authenticator: 989626b68773ac50c060d8306287984a
Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
Vendor Attribute: 17, Length: 50, Value: ?...e....NA=E.5.9..y........Q ^R=i..!j .........
0x0000: 0000 0137 1134 80e3 aefl 65e0 1383 c34e
0x0010: 413d 4Sbd 350d 39be ac79 04b8 90fa 1551
0x0020: a4b7 10d3 09b6 f902 5e52 3d69 b3b4 216a
0x0030: b48f 0ef2 0c08 9cd0
Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
Vendor Attribute: 16, Length: 50, Value: z
0x0000: 0000 0137 1034 8883 7a9b bllb 9488 f181
0x0010: d179 29ba 7538 lleb 8311 3c22 1b62 9176
0x0020: d0be f763 4617 670c d8ca 8659 7a14 dl2c
0x0030: 8064 5955 942b ccla
EAP-Message Attribute (79), length: 6, Value: ..
0x0000: 0307 0004
Message-Authenticator Attribute (80), length: 18, Value: ....>k....? ...(
0x0000: 9aec 02c0 3e6b af8e defb 8020 e50b 0728
User-Name Attribute (1), length: 23, Value: host/leno.fortiad.net
0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961
0x0010: 642e 6e65 74 Vendor-Specific Attribute (26), length: 14, Value: Vendor: Fortinet (12356)
Vendor Attribute: 1, Length: 6, Value: VLAN10
0x0000: 0000 3044 0108 564c 414e 3130
|
|
|
Post-authentication DHCP transaction is picked up by FortiAuthenticator ( 01:09:39.765661 IP (tos 0x0, ttl 64, id 15537, offset 0, flags [none], proto UDP (17), length 300)
10.1.2.27.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 272, hops 2, xid Ox5a6b3f9e, Flags [none] (0x0000)
Client-IP 10.1.2.9
Gateway-IP 10.1.2.27
Client-Ethernet-Address 6c:88:14:c6:3d:58
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 10.1.2.1
Default-Gateway Option 3, length 4: 10.1.2.1
Domain-Name-Server Option 6, length 8: 212.159.6.9,212.159.6.10
Time-Zone Option 2, length 4: 3600
|
|
|
On the FortiAuthenticator, go to Logging > Log Access > Logs to verify the device authentication. The Debug Log (at |
 |
|
On the FortiWifi, go to WiFi & Switch Controller > Monitor > Client Monitor and note that the Group is the RADIUS attribute sent from FortiAuthenticator. Any Firewall policy using that Group will now be enabled for the user.
|
|
The post Wireless 802.1x EAP-TLS with computer authentication appeared first on Fortinet Cookbook.