Support for EAP/TLS on FortiWiFi models operating in Client Mode 7.4.1
This information is also available in the FortiWiFi and FortiAP 7.4 Configuration Guide: |
EAP/TLS authentication is supported on FortiWiFi 80F/60F/40F series models operating in wireless client mode. This allows the FortiWiFi local radio to connect with a WPA2/WPA3-Enterprise SSID and support PEAP and EAP-TLS authentication methods.
This enhancements adds a new wpa-enterprise
CLI option for the wifi-security
setting under wifi-network
configuration.
New CLI:
config wifi-networks edit < ID > set wifi-security wpa-enterprise set wifi-eap-type [both | tls | peap] set wifi-username < username > set wifi-client-certificate < client_cert_name > set wifi-private-key < client_cert_name > next end
When wifi-security
is set to wpa-enterprise
, the local radio can recognize the security mode of third-party SSIDs and automatically adapt when connecting. These security modes include WPA2-Only-Enterprise, WPA3-Only-Enterprise, WPA3-Enterprise with 192-bit encryption, and etc.
When connecting to a WPA2/WPA3-Enterprise SSID via EAP-TLS, users must also configure the WiFi username, client certificate, private key settings, and etc as applicable.
To configure FortiWiFi to run in client mode and support EAP/TLS:
-
Change the wireless mode to client.
config system global set wireless-mode client end
Note: You must remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and software switch members before you can change the mode to Wireless Client. Once you select Wireless Client, the FortiWiFi unit will reboot.
-
Set the
wifi-security
mode towpa-enterprise
.config system interface edit "wifi" config wifi-networks edit 1 set wifi-ssid "FOS_101F_WPA2_ENT_PEAP" set wifi-security wpa-enterprise ...
-
After setting
wpa-enterprise
, configure the following as needed:wifi-eap-type
Select a WPA2/WPA3-ENTERPRISE EAP method.
PEAP
-wifi-username
and wifi-passphrase should be set as the user account's name and password.TLS
- The client certificate should be specified by following settings:wifi-client-certificate
wifi-private-key
wifi-private-key-password:
wifi-username
Username for WPA2/WPA3-ENTERPRISE.
wifi-client-certificate
Client certificate for WPA2/WPA3-ENTERPRISE.
wifi-private-key
Private key for WPA2/WPA3-ENTERPRISE.
wifi-private-key-password
Password for private key file for WPA2/WPA3-ENTERPRISE.
wifi-ca-certificate
CA certificate for WPA2/WPA3-ENTERPRISE.
Example Use Case - WPA2-Only-Enterprise SSID using the EAP-PEAP
The following example configures the local radio to connect to a WPA2-Only-Enterprise SSID using the EAP-PEAP authentication method.
-
Upload the CA certificate to verify the server certificate from the 3rd-party SSID.
The CA certificate verification is an optional setting, users can decide whether to verify the server certificate by changing
wifi-ca-certificate
setting. To upload the CA certificate to FortiGate, log into the GUI and go to System > Certificates. Click Create/Import > CA Certificate, and follow the onscreen instructions to import the CA certificate. -
Configure the
wifi-network
entry:config system interface edit "wifi" config wifi-networks edit 1 set wifi-ssid "FOS_101F_WPA2_ENT_PEAP" set wifi-security wpa-enterprise set wifi-eap-type peap set wifi-username "tester" set wifi-passphrase * set wifi-ca-certificate "CA_Cert_1" <---This is an optional setting. "CA_Cert_1" is the imported CA certificate next end next end
-
Check the connection status:
FortiWiFi-81F-2R-POE # diagnose wireless-controller wlsta cfg STA intf name: wlan17 status: up ip: 10.4.1.2 mac: d4:76:a0:18:e0:8f auto connect: yes auto save: no ap band: any wifi network cnt: 1 1: FOS_101F_WPA2_ENT_PEAP, 16, 1 connected: FOS_101F_WPA2_ENT_PEAP
Example Use Case - WPA3-Only-Enterprise SSID using EAP-TLS
The following example configures the local radio to connect to a WPA3-Only-Enterprise SSID using EAP-TLS authentication method.
-
Upload the CA certificate to verify the server certificate from the 3rd-party SSID.
The CA certificate verification is an optional setting, users can decide whether to verify the server certificate by changing
wifi-ca-certificate
setting. To upload the CA certificate to FortiGate, log into the GUI and go to System > Certificates. Click Create/Import > CA Certificate, and follow the onscreen instructions to import the CA certificate. -
Upload the client certificate (with private key file), which will be sent to the 3rd-party SSID side for verification and authentication.
-
To upload the client certificate with private key file to FortiGate, log into the GUI and go to System > Certificates.
-
Click Create/Import > Certificate
-
Click Import Certificate, select PKCS #12 Certificate or Certificate, and then follow the onscreen instructions to import the client certificate with private key file.
-
-
Configure the
wifi-network
entry:config system interface edit "wifi" config wifi-networks edit 2 set wifi-ssid "FOS_101F_WPA3_ENT_TLS" set wifi-security wpa-enterprise set wifi-eap-type tls set wifi-username "81F-client" set wifi-client-certificate "client-cert" <----"client-cert" is the name of imported client certificate set wifi-private-key "client-cert" <---It uses the same name of imported client certificate set wifi-private-key-password * set wifi-ca-certificate "CA_Cert_1" <---This is an optional setting. "CA_Cert_1" is the imported CA certificate next end next end
wifi-username
is the "identity" of the client-mode local radio during EAP-TLS authentication.wifi-private-key-password
is the password created when importing the client certificate on the FortiWiFi.
-
Check the connection status:
FortiWiFi-81F-2R-POE # diagnose wireless-controller wlsta cfg STA intf name: wlan07 status: up ip: 10.30.80.2 mac: d4:76:a0:18:e0:87 auto connect: yes auto save: no ap band: any wifi network cnt: 1 1: FOS_101F_WPA3_ENT_TLS, 16, 1 connected: FOS_101F_WPA3_ENT_TLS