WiFi using FortiAuthenticator RADIUS with Certificates
This recipe will walk you through the configuration of FortiAuthenticator as the RADIUS server for a FortiGate wireless controller. WPA2-Enterprise with 802.1X authentication can be used to authenticate wireless users with FortiAuthenticator. 802.1X utilizes the Extensible Authentication Protocol (EAP) to establish a secure tunnel between participants involved in an authentication exchange.
EAP-TLS is the most secure form of wireless authentication because it replaces the client username/password with a client certificate. Every end user, including the authentication server, that participates in EAP-TLS must possess at least two certificates: 1) a client certificate signed by the certificate authority (CA) and 2) a copy of the CA root certificate.
This recipe specifically focus on the configuration of the FortiAuthenticator, FortiGate and Windows 7 computer.
1. Creating a local CA on FortiAuthenticator
The FortiAuthenticator will act as the certificate authority for all certificates authenticated for client access. To enable this functionality, a self-signed root CA certificate must be generated.
On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs. Click Create New. Complete the information in the fields pertaining to your organization.
2. Creating a local service certificate on FortiAuthenticator
In order for the FortiAuthenticator to use a certificate in mutual authentication (supported by EAP‐TLS), a local services certificate has to be created on behalf of the FortiAuthenticator.
Go to Certificate Management > End Entities > Local Services. Click Create New. Complete the information in the fields pertaining to your organization.
3. Configuring RADIUS EAP on FortiAuthenticator
In order for the FortiAuthenticator to present the newly created Local Services certificate as its authentication to the WiFi client, the RADIUS‐EAP must be configured to use this certificate.
Go to Authentication > RADIUS Service > EAP. Click Create New. Select the corresponding Local Services certificate in the EAP Server Certificate section. Choose the Local CA certificate previous configured in the Local CAs section.
4. Configuring RADIUS client on FortiAuthenticator
The FortiAuthenticator has to be configured to allow RADIUS clients to make authorization requests to it.
Go to Authentication > RADIUS Service > Clients. Click Create New. Enter Name, then Client name IP which is the FortiGate’s IP address. Enter the Secret (password). On Authentication method select Password-only authentication and on Username input format select username@realm.
EAP-‐TLS should be the only EAP type selected to prevent fallback to a less secure version of authentication if a certificate is not presented by the WiFi client.
5. Configuring local user on FortiAuthenticator
The authentication of the WiFi client will be tied to a user account on the FortiAuthenticator. In this scenario, a local user will be configured but remote users associated with LDAP can be configured as well.
Go to Authentication > User Management > Local Users. Click Create New. Fill out applicable user information.
6. Configuring local user certificate on FortiAuthenticator
The certificate created locally on the FortiAuthenticator will be associated with the local user. It is important to note that the Name (CN) must match the username exactly of the user that is registered in the FortiAuthenticator (i.e. eap‐user).
Go to Certificate Management > End Entities > Users. Click Create New. Fill out applicable user information to map the certificate to the correct user.
7. Creating RADIUS server on FortiGate
In order to proxy the authentication request from the wireless client, the FortiGate will need to have a RADIUS server to submit the authentication request to.
On the FortiGate, go to User & Device > RADIUS Servers. Select Create New. Type FortiAuth. Enter the FortiAuthenticator’s IP address and the Server Secret (password). Optionally, you can click Test Connectivity. Enter a RADIUS user’s ID and password. The result should be “Successful”.
8. Creating WiFi SSID on FortiGate
In order for the WiFi client to connect using its certificate a SSID has to be configured on the FortiGate to accept this type of authentication.
Go to WiFi & Switch Controller > SSID. Create an SSID and set up DHCP for clients.
Set WPA2-Enterprise with RADIUS Server authentication, and choose FortiAuth.
9. Exporting user certificate from FortiAuthenticator
In order for the WiFi client to authenticate with the RADIUS server, the user certificate created in the FortiAuthenticator must first be exported.
On the FortiAuthenticator, go to Certificate Management > End Entities > Users. Click the checkbox beside the certificate. Click Export PKCS#12.
In the Export User Certificate and Key File type a password in Passphrase, and confirm it. This password will be used when importing the certificate into a Windows 7 computer. Click OK.
Click Download PKCS#12 file to pull this certificate to the Widows 7 computer. Click Finish.
9. Importing user certificate into Windows 7
On the Windows 7 computer, double-click the downloaded certificate file from the FortiAuthenticator. This will launch the Welcome to Certificate Import Wizard. Click Next.
Make sure the correct certificate is shown in the File Name section in the File to Import window. Click Next.
Below Password, type the password created on the FortiAuthenticator during the export of the certificate. Select Mark this key as exportable. Leave remaining defaults. Click Next.
In the Certificate Store, choose the Place all certificates in the following store. Click Browse and choose Personal. Click Next, and then Finish. A dialog box will show up confirming the certificate was imported successfully.
10. Configuring Windows 7 wireless profile to use certificate
Create a new wireless SSID for this secure connection, in this case EAP-TLS. On Windows 7, got to Control Panel > Network and Sharing Center > Manage Wireless Networks > Add. Select Security type: WPA2-Enterprise and Encryption type: AES.
Modify the newly created wireless connection EAP-TLS by right clicking and choosing Properties.
On EAP-TLS Wireless Network Properties, Under Choose a network authentication method select Microsoft: Smart card or other certificates. Then click on Settings.
On Smart Card or other Certificates Properties. Under When connecting, select Use a certificate on this computer, and check Use simple certificate selection. Click OK and click OK.
Please note, for simplification purposes, the Validate server certificate has been disabled but EAP-‐TLS allows the client to validate the server as well as the server validate the client. To enable this, you will need to import the CA from the FortiAuthenticator to the Windows 7 computer and make sure that it is enabled as a Trusted Root Certification Authority.
The configuration for the Windows 7 computer has been completed and the user should be able to authenticate to WiFi via the certificate without using username and password.
11. Results on FortiAuthenticator
When the user attempts to authenticate to WiFi using the certificate, they will have a specific log entry in the FortiAuthenticator.
12. Results on FortiGate
The log on the FortiGate shows plenty of details, such as the client’s MAC address, IP address, SSID, Security Mode, Encryption, AP, Radio, Band and Channel