Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiNAC 9.4.0 Administration Guide
    9.4.0
    9.4.0
    9.2.0
    9.1.0
    8.8.0
    8.7.0
    8.6.0
    8.5.2
    8.3.0

    Certificates

    Certificates

    SSL certificates can be used to secure many different types of connections for FortiNAC. The table below outlines the uses and requirements for these certificates.

    Please note:

    • Applies to all certificates imported into or saved on FortiNAC appliances.
    • Certificates that use SHA2 encryption are not supported.
    • Valid certificates are certificates that were obtained from a signing authority, such as, VeriSign.
    • Update the list of Allowed Domains with the domain of the certificate vendor. See Allowed domains.
    • Make sure that your network has a VLAN that allows hosts in isolation to access the internet when the host attempts to reach one of the sites in the Allowed Domains list.

    It is recommended that you set the home page to a HTTP URL instead of a HTTPS URL to avoid receiving a certificate warning when opening your browser in IE while in the registration VLAN.

    Connection

    Types

    Required

    Format

    Location

    If no certificate

    Admin UI

    Self-Signed or Valid

    No

    /bsc/services

    Works with or without a certificate.

    Portal

    Self-Signed or Valid

    No

    PEM

    Imported

    Works with or without a certificate.

    Persistent Agent

    Self-Signed or Valid

    Yes
    Agent 3.0 or higher

    Imported

    Use agents lower than 3.0.

    Dissolvable Agent

    Self-Signed or Valid

    Yes
    Agent 3.0 or higher

    Imported

    Use agents lower than 3.0.

    Mobile Agent

    Valid

    Yes

    Imported

    No workaround, must use certificate.

    LDAP
    Directory

    Valid

    No

    /bsc/campusMgr

    Do not select SSL or TLS protocols on the Directory Configuration view.

    RADIUS Server

    Valid

    Yes with 802.1x and PEAP.

    Proprietary

    Use security options WEP, WPA or WPA2 , which use PSK, instead of the enterprise versions which use PEAP.

    Supplicant Configuration

    Valid

    Yes for Windows hosts if RADIUS server has certificate and uses 802.1x and PEAP.

    PEM or binary

    Imported

    Use security options WEP, WPA or WPA2 , which use PSK, instead of the enterprise versions which use PEAP.

    Or

    Windows hosts will have poor user experience with connection delays during supplicant configuration implementation.

    Palo Alto
    Integration

    Yes

    N/A FortiNAC automatically imports from Palo Alto

    Required
    Associated certificate documentation

    Connection

    Topic

    Admin UI

    See SSL certificates.

    Portal

    See Portal SSL.

    Persistent Agent

    See SSL certificates.

    Dissolvable Agent

    Mobile Agent

    LDAP Directory

    See Create a keystore for SSL or TLS

    RADIUS Server

    See the documentation for your RADIUS server.

    Supplicant Configuration

    See Supplicant EasyConnect .

    Palo Alto Integration

    See Add or modify the Palo Alto User-ID agent as a pingable.
    Previous
    Next

    Certificates

    Certificates

    SSL certificates can be used to secure many different types of connections for FortiNAC. The table below outlines the uses and requirements for these certificates.

    Please note:

    • Applies to all certificates imported into or saved on FortiNAC appliances.
    • Certificates that use SHA2 encryption are not supported.
    • Valid certificates are certificates that were obtained from a signing authority, such as, VeriSign.
    • Update the list of Allowed Domains with the domain of the certificate vendor. See Allowed domains.
    • Make sure that your network has a VLAN that allows hosts in isolation to access the internet when the host attempts to reach one of the sites in the Allowed Domains list.

    It is recommended that you set the home page to a HTTP URL instead of a HTTPS URL to avoid receiving a certificate warning when opening your browser in IE while in the registration VLAN.

    Connection

    Types

    Required

    Format

    Location

    If no certificate

    Admin UI

    Self-Signed or Valid

    No

    /bsc/services

    Works with or without a certificate.

    Portal

    Self-Signed or Valid

    No

    PEM

    Imported

    Works with or without a certificate.

    Persistent Agent

    Self-Signed or Valid

    Yes
    Agent 3.0 or higher

    Imported

    Use agents lower than 3.0.

    Dissolvable Agent

    Self-Signed or Valid

    Yes
    Agent 3.0 or higher

    Imported

    Use agents lower than 3.0.

    Mobile Agent

    Valid

    Yes

    Imported

    No workaround, must use certificate.

    LDAP
    Directory

    Valid

    No

    /bsc/campusMgr

    Do not select SSL or TLS protocols on the Directory Configuration view.

    RADIUS Server

    Valid

    Yes with 802.1x and PEAP.

    Proprietary

    Use security options WEP, WPA or WPA2 , which use PSK, instead of the enterprise versions which use PEAP.

    Supplicant Configuration

    Valid

    Yes for Windows hosts if RADIUS server has certificate and uses 802.1x and PEAP.

    PEM or binary

    Imported

    Use security options WEP, WPA or WPA2 , which use PSK, instead of the enterprise versions which use PEAP.

    Or

    Windows hosts will have poor user experience with connection delays during supplicant configuration implementation.

    Palo Alto
    Integration

    Yes

    N/A FortiNAC automatically imports from Palo Alto

    Required
    Associated certificate documentation

    Connection

    Topic

    Admin UI

    See SSL certificates.

    Portal

    See Portal SSL.

    Persistent Agent

    See SSL certificates.

    Dissolvable Agent

    Mobile Agent

    LDAP Directory

    See Create a keystore for SSL or TLS

    RADIUS Server

    See the documentation for your RADIUS server.

    Supplicant Configuration

    See Supplicant EasyConnect .

    Palo Alto Integration

    See Add or modify the Palo Alto User-ID agent as a pingable.
    Previous
    Next