SCEP Servers and Local Certificate Authorities
FortiGuest allows distribution of certificates to devices when they are authenticated onto the network. This is achieved in the following methods.
-
You can generate user certificates on an external server like MS Active Directory and then add an entry in Smart Connect > SCEP Servers.
-
You can also generate certificates internally on the FortiGuest in Smart Connect > Local Certificate Authorities.
-
You can manually upload certificates while configuring the authentication policy. See RadSec Authentication.
When a network user requests a Smart Connect profile, then a user certificate is generated, this is achieved by selecting EAP-TLS as an EAP type in a Smart Connect profile. You can add an SCEP Server and generate certificates internally using the Local Certificate authorities.
Adding the SCEP Server
Navigate to Smart Connect > SCEP Servers and configure the following parameters to add an SCEP server.
-
Enter the Name of the SCEP Server.
-
Enter the URL of the SCEP Server (HTTP only)
-
Enter a Challenge Password that is required when connecting to NDES on a Windows server. If the password is not specified then the user's current password is used when generating the client certificate.
-
Enter the Key Size.
-
Enter the OCSP URL to send an OCSP request for validating user certificates when authenticating.
Local Certificate Authorities
Navigate to Smart Connect > Local Certificate Authorities configure the following parameters to generate certificates internally.
-
Common Name - This is either the IP address of FortiGuest or the fully qualified domain name (FQDN) for FortiGuest. The FQDN must resolve correctly in DNS.
-
Organization - The name of your organization or company.
-
Organizational Unit (Section) - The name of the department or business unit that owns the device.
-
Locality (e.g. City) - The city where the server is located.
-
State or Province - The state where the server is located.
-
Country - Select the relevant country.
-
Maximum Lifetime in Days- The maximum lifetime of any generated certificate in days.
- Private Key Size (bits) - The minimum size of the private key to generate. The minimum size is 512 bits.