Fortinet white logo
Fortinet white logo

Administration Guide

7.2.0

Certificates

Certificates

SSL certificates can be used to secure many different types of connections for FortiNAC. The table below outlines the uses and requirements for these certificates.

Please note:

  • Applies to all certificates imported into or saved on FortiNAC appliances.
  • Certificates that use SHA2 encryption are not supported.
  • Valid certificates are certificates that were obtained from a signing authority, such as VeriSign.
  • Update the list of Allowed Domains with the domain of the certificate vendor. See Allowed domains.
  • Make sure that your network has a VLAN that allows hosts in isolation to access the internet when the host attempts to reach one of the sites in the Allowed Domains list.

It is recommended that you set the home page to a HTTP URL instead of a HTTPS URL to avoid receiving a certificate warning when opening your browser in IE while in the registration VLAN.

Connection

Types

Required

Format

Location

If no certificate

Admin UI

Self-Signed or Valid

No

/bsc/services

Works with or without a certificate.

Portal

Self-Signed or Valid

No

PEM

Imported

Works with or without a certificate.

Persistent Agent

Self-Signed or Valid

Yes
Agent 3.0 or higher

Imported

Use agents lower than 3.0.

Dissolvable Agent

Self-Signed or Valid

Yes
Agent 3.0 or higher

Imported

Use agents lower than 3.0.

Mobile Agent

Valid

Yes

Imported

No workaround, must use certificate.

LDAP
Directory

Valid

No

/bsc/campusMgr

Do not select SSL or TLS protocols on the Directory Configuration view.

RADIUS Server

Valid

Yes with 802.1x and PEAP.

Proprietary

Use security options WEP, WPA or WPA2 , which use PSK, instead of the enterprise versions which use PEAP.

Supplicant Configuration

Valid

Yes for Windows hosts if RADIUS server has certificate and uses 802.1x and PEAP.

PEM or binary

Imported

Use security options WEP, WPA or WPA2 , which use PSK, instead of the enterprise versions which use PEAP.

Or

Windows hosts will have poor user experience with connection delays during supplicant configuration implementation.

Palo Alto
Integration

Yes

N/A FortiNAC automatically imports from Palo Alto

Required

Associated certificate documentation

Connection

Topic

Admin UI

See SSL certificates.

Portal

See Portal SSL.

Persistent Agent

See SSL certificates.

Dissolvable Agent

Mobile Agent

LDAP Directory

See Create a keystore for SSL or TLS

RADIUS Server

See the documentation for your RADIUS server.

Supplicant Configuration

See Supplicant EasyConnect .

Palo Alto Integration

See Add or modify the Palo Alto User-ID agent as a pingable.

Certificates

Certificates

SSL certificates can be used to secure many different types of connections for FortiNAC. The table below outlines the uses and requirements for these certificates.

Please note:

  • Applies to all certificates imported into or saved on FortiNAC appliances.
  • Certificates that use SHA2 encryption are not supported.
  • Valid certificates are certificates that were obtained from a signing authority, such as VeriSign.
  • Update the list of Allowed Domains with the domain of the certificate vendor. See Allowed domains.
  • Make sure that your network has a VLAN that allows hosts in isolation to access the internet when the host attempts to reach one of the sites in the Allowed Domains list.

It is recommended that you set the home page to a HTTP URL instead of a HTTPS URL to avoid receiving a certificate warning when opening your browser in IE while in the registration VLAN.

Connection

Types

Required

Format

Location

If no certificate

Admin UI

Self-Signed or Valid

No

/bsc/services

Works with or without a certificate.

Portal

Self-Signed or Valid

No

PEM

Imported

Works with or without a certificate.

Persistent Agent

Self-Signed or Valid

Yes
Agent 3.0 or higher

Imported

Use agents lower than 3.0.

Dissolvable Agent

Self-Signed or Valid

Yes
Agent 3.0 or higher

Imported

Use agents lower than 3.0.

Mobile Agent

Valid

Yes

Imported

No workaround, must use certificate.

LDAP
Directory

Valid

No

/bsc/campusMgr

Do not select SSL or TLS protocols on the Directory Configuration view.

RADIUS Server

Valid

Yes with 802.1x and PEAP.

Proprietary

Use security options WEP, WPA or WPA2 , which use PSK, instead of the enterprise versions which use PEAP.

Supplicant Configuration

Valid

Yes for Windows hosts if RADIUS server has certificate and uses 802.1x and PEAP.

PEM or binary

Imported

Use security options WEP, WPA or WPA2 , which use PSK, instead of the enterprise versions which use PEAP.

Or

Windows hosts will have poor user experience with connection delays during supplicant configuration implementation.

Palo Alto
Integration

Yes

N/A FortiNAC automatically imports from Palo Alto

Required

Associated certificate documentation

Connection

Topic

Admin UI

See SSL certificates.

Portal

See Portal SSL.

Persistent Agent

See SSL certificates.

Dissolvable Agent

Mobile Agent

LDAP Directory

See Create a keystore for SSL or TLS

RADIUS Server

See the documentation for your RADIUS server.

Supplicant Configuration

See Supplicant EasyConnect .

Palo Alto Integration

See Add or modify the Palo Alto User-ID agent as a pingable.