Fortinet black logo

FortiNAC Deployment Guide

Home FortiNAC-F 7.2.0 FortiNAC Deployment Guide
7.2.0
7.2.0

Create and Install SSL Certificates

Create and Install SSL Certificates

Requirements

  • FortiNAC hostnames to be secured by the certificates (certificates required on all FortiNAC appliances)

  • Hostname used for the Portal can be different than the actual hostname of the appliance. This is beneficial when using a combination of internal and external certificates. Setting the Portal hostname differently also prevents revealing the actual appliance hostname to users interacting with the Portal. See uses cases below for examples.

  • High Availability (HA) environments:

    • For ease of configuration, it is recommended to install certificates in both appliances prior to configuring HA. If some certificates must be installed after HA is configured, see pages 5 and 6 of the SSL Certificates How To in the Fortinet Document Library for instructions.

    • If a Virtual IP Address (VIP) will be used in a L2 HA configuration, VIP hostname will also need to be secured

Procedure

  1. Determine use cases so the appropriate certificates can be acquired. FortiNAC can use SSL certificates issued by either an internal or public (external) Certificate Authority (CA). Note: Different certificates can be installed for different components.

    What certificate should be used?

  2. Navigate to System > Certificate Management.

  3. Generate a certificate (if not already generated). Then install the certificate on all appliances. For instructions, refer to the SSL Certificates How To in the Fortinet Document Library.

  4. Upload certificates to the Admin UI first (if UI is going to be secured).

  5. Logout of the Admin UI and reconnect using the following URL:

    https:// <FortiNAC Server Host Name included in certificate>:8443/

If browser reports certificate is not secure, an intermediate certificate may be missing. See related KB article 190860.

Proceed to next step.

What certificate should be used?

Review the following use case examples to help determine the most applicable certificate for your environment.

What the certificates are used for

Component

Function

Certificate to Use

Administration UI

Access to the FortiNAC UI

Internal or External

Persistent Agent

Persistent Agent communication

Internal or External

Portal

Captive Portal access and Dissolvable Agent communication

External

Local RADIUS Server (EAP)

For use when FortiNAC is acting as the 802.1x EAP termination point.

Internal or External (avoid wildcard certificates)

RADIUS Endpoint Trust

Client-side certificate validation (EAP-TLS)

Internal or External (avoid wildcard certificates)

Use Case Examples

Example 1

The certificate is an Internal CA & 3rd Party RADIUS Server.

This can be used in the following cases:

  • Computers to be used for Administration UI access have the company’s internal CA root certificate installed

  • Company-owned computers requiring the Persistent Agent to be installed also have the internal CA root certificate

  • BYOD devices will be on-boarded via Captive Portal

  • FortiNAC will manage wireless clients but will proxy RADIUS to 3rd party RADIUS Server

    In these use cases, 2 certificates will be required (1 internal and 1 external).

Hostname to Secure (Subject)

Certificate

Component(s)

FNACname1.intdomainname.com

Internal

Administration UI

Persistent Agent

FNACname2.extdomainname.com

External

Portal

Example 2

The certificate is an Internal CA & Local RADIUS Server.

This can be used in the following cases:

  • Computers to be used for Administration UI access have the company’s internal CA root certificate installed

  • Company owned computers require the Persistent Agent be installed also have the internal CA root certificate

  • Local RADIUS Server (EAP): Use internal certificate

  • RADIUS Endpoint Trust: Use internal certificate

  • BYOD devices will be on-boarded via Captive Portal

    In this use case, 2 certificates will be required (1 internal and 1 external).

Hostname to Secure (Subject)

Certificate

Component(s)

FNACname1.intdomainname.com

Internal

Administration UI

Persistent Agent

Local RADIUS Server (EAP)

RADIUS Endpoint Trust

FNACname2.extdomainname.com

External

Portal

Example 3: No Internal CA & Local RADIUS Server

  • Admin UI: Use external certificate

  • Persistent Agent: Use internal certificate

  • Portal: Use external certificate

In this use case, 1 certificate will be required (external).

Hostname to Secure (Subject)

Certificate

Component(s)

FNACname2.extdomainname.com

External

Administration UI

Persistent Agent

Portal

Local RADIUS Server (EAP)

RADIUS Endpoint Trust

Once completed, proceed to the next step.

Previous
Next

Create and Install SSL Certificates

Requirements

  • FortiNAC hostnames to be secured by the certificates (certificates required on all FortiNAC appliances)

  • Hostname used for the Portal can be different than the actual hostname of the appliance. This is beneficial when using a combination of internal and external certificates. Setting the Portal hostname differently also prevents revealing the actual appliance hostname to users interacting with the Portal. See uses cases below for examples.

  • High Availability (HA) environments:

    • For ease of configuration, it is recommended to install certificates in both appliances prior to configuring HA. If some certificates must be installed after HA is configured, see pages 5 and 6 of the SSL Certificates How To in the Fortinet Document Library for instructions.

    • If a Virtual IP Address (VIP) will be used in a L2 HA configuration, VIP hostname will also need to be secured

Procedure

  1. Determine use cases so the appropriate certificates can be acquired. FortiNAC can use SSL certificates issued by either an internal or public (external) Certificate Authority (CA). Note: Different certificates can be installed for different components.

    What certificate should be used?

  2. Navigate to System > Certificate Management.

  3. Generate a certificate (if not already generated). Then install the certificate on all appliances. For instructions, refer to the SSL Certificates How To in the Fortinet Document Library.

  4. Upload certificates to the Admin UI first (if UI is going to be secured).

  5. Logout of the Admin UI and reconnect using the following URL:

    https:// <FortiNAC Server Host Name included in certificate>:8443/

If browser reports certificate is not secure, an intermediate certificate may be missing. See related KB article 190860.

Proceed to next step.

What certificate should be used?

Review the following use case examples to help determine the most applicable certificate for your environment.

What the certificates are used for

Component

Function

Certificate to Use

Administration UI

Access to the FortiNAC UI

Internal or External

Persistent Agent

Persistent Agent communication

Internal or External

Portal

Captive Portal access and Dissolvable Agent communication

External

Local RADIUS Server (EAP)

For use when FortiNAC is acting as the 802.1x EAP termination point.

Internal or External (avoid wildcard certificates)

RADIUS Endpoint Trust

Client-side certificate validation (EAP-TLS)

Internal or External (avoid wildcard certificates)

Use Case Examples

Example 1

The certificate is an Internal CA & 3rd Party RADIUS Server.

This can be used in the following cases:

  • Computers to be used for Administration UI access have the company’s internal CA root certificate installed

  • Company-owned computers requiring the Persistent Agent to be installed also have the internal CA root certificate

  • BYOD devices will be on-boarded via Captive Portal

  • FortiNAC will manage wireless clients but will proxy RADIUS to 3rd party RADIUS Server

    In these use cases, 2 certificates will be required (1 internal and 1 external).

Hostname to Secure (Subject)

Certificate

Component(s)

FNACname1.intdomainname.com

Internal

Administration UI

Persistent Agent

FNACname2.extdomainname.com

External

Portal

Example 2

The certificate is an Internal CA & Local RADIUS Server.

This can be used in the following cases:

  • Computers to be used for Administration UI access have the company’s internal CA root certificate installed

  • Company owned computers require the Persistent Agent be installed also have the internal CA root certificate

  • Local RADIUS Server (EAP): Use internal certificate

  • RADIUS Endpoint Trust: Use internal certificate

  • BYOD devices will be on-boarded via Captive Portal

    In this use case, 2 certificates will be required (1 internal and 1 external).

Hostname to Secure (Subject)

Certificate

Component(s)

FNACname1.intdomainname.com

Internal

Administration UI

Persistent Agent

Local RADIUS Server (EAP)

RADIUS Endpoint Trust

FNACname2.extdomainname.com

External

Portal

Example 3: No Internal CA & Local RADIUS Server

  • Admin UI: Use external certificate

  • Persistent Agent: Use internal certificate

  • Portal: Use external certificate

In this use case, 1 certificate will be required (external).

Hostname to Secure (Subject)

Certificate

Component(s)

FNACname2.extdomainname.com

External

Administration UI

Persistent Agent

Portal

Local RADIUS Server (EAP)

RADIUS Endpoint Trust

Once completed, proceed to the next step.

Previous
Next