Fortinet black logo

Administration Guide

Home FortiNAC 9.4.0 Administration Guide
9.4.0
9.4.0
9.2.0
9.1.0
8.8.0
8.7.0
8.6.0
8.5.2
8.3.0

Trusted certificates

Trusted certificates

EAP-TLS is a certificate-based mutual authentication method. When using EAP with TLS certificates, both the client and the server use certificates to verify identities to each other. Once these certificates are identified, the EAP-TLS will create session-based keys that each party can use to complete the login.

Endpoint Trust Certificate used by FortiNAC to validate the client-side certificate when local RADIUS server is configured, and EAP-TLS is used for authentication.

The SSL certificates requirements for Endpoint Trust:

  • The incoming certificate must be issued by Root CA.

  • 3rd party public or corporate owned internal Certificate Authority issued certificates.

  • Wildcard certificates are not recommended.

  • Either user or computer certificates.

  • Supported using EAP-TLS, PEAPv0-EAP-TLS, EAP-TTLS/EAP-TLS

  • Multiple certificates can be uploaded to FortiNAC for this use.

Client will be unable to authenticate unless the RADIUS Endpoint Trust Certificate Target has the matching root certificate installed. All the root certificates used by end stations should be uploaded to FortiNAC.

  • Acquire the root certificate(s) used by the endstations.

  • If multiple root certificates have been distributed, ensure each one has been collected.

The root certificate of user certificate for RADIUS endpoint should be uploaded to Trusted Certificate of FortiNAC. FortiNAC will verify the client certificate based on the root certificate stored on FortiNAC.

On the RADIUS 802.1x Endpoint, user needs to apply the user certificate and private key to let the FortiNAC verify the user. The private key must have password protected.

And the user also needs to apply the root certificate of RADIUS Server certificate to let the end point verify the certificate of FortiNAC.

Note

The self-signed certificate whose common name is same as issuer cannot be used in here. Otherwise, there is a error message: “ERROR: SSL says error 18 : self signed certificate” on RADIUS server log.”

The self-signed certificate cannot be used for RADIUS Endpoint. The RADIUS Server will verify the common name of the root certificate and user certificate. If the two common names are same, there is an error “ERROR” SSL says error 18: Self signed certificate” on RADIUS Server.

If the user certificate is not issued by root CA or the root Certificate is not uploaded to FortiNAC, there is an error “ERROR: TLS Alert read: fatal: unknown CA” on RADIUS Server.

Previous
Next

Trusted certificates

EAP-TLS is a certificate-based mutual authentication method. When using EAP with TLS certificates, both the client and the server use certificates to verify identities to each other. Once these certificates are identified, the EAP-TLS will create session-based keys that each party can use to complete the login.

Endpoint Trust Certificate used by FortiNAC to validate the client-side certificate when local RADIUS server is configured, and EAP-TLS is used for authentication.

The SSL certificates requirements for Endpoint Trust:

  • The incoming certificate must be issued by Root CA.

  • 3rd party public or corporate owned internal Certificate Authority issued certificates.

  • Wildcard certificates are not recommended.

  • Either user or computer certificates.

  • Supported using EAP-TLS, PEAPv0-EAP-TLS, EAP-TTLS/EAP-TLS

  • Multiple certificates can be uploaded to FortiNAC for this use.

Client will be unable to authenticate unless the RADIUS Endpoint Trust Certificate Target has the matching root certificate installed. All the root certificates used by end stations should be uploaded to FortiNAC.

  • Acquire the root certificate(s) used by the endstations.

  • If multiple root certificates have been distributed, ensure each one has been collected.

The root certificate of user certificate for RADIUS endpoint should be uploaded to Trusted Certificate of FortiNAC. FortiNAC will verify the client certificate based on the root certificate stored on FortiNAC.

On the RADIUS 802.1x Endpoint, user needs to apply the user certificate and private key to let the FortiNAC verify the user. The private key must have password protected.

And the user also needs to apply the root certificate of RADIUS Server certificate to let the end point verify the certificate of FortiNAC.

Note

The self-signed certificate whose common name is same as issuer cannot be used in here. Otherwise, there is a error message: “ERROR: SSL says error 18 : self signed certificate” on RADIUS server log.”

The self-signed certificate cannot be used for RADIUS Endpoint. The RADIUS Server will verify the common name of the root certificate and user certificate. If the two common names are same, there is an error “ERROR” SSL says error 18: Self signed certificate” on RADIUS Server.

If the user certificate is not issued by root CA or the root Certificate is not uploaded to FortiNAC, there is an error “ERROR: TLS Alert read: fatal: unknown CA” on RADIUS Server.

Previous
Next