EAP

The FortiAuthenticator unit supports several IEEE 802.1X EAP methods. These include authentication methods most commonly used in WiFi networks.

EAP is defined in RFC 3748 and updated in RFC 5247. EAP does not include security for the conversation between the client and the authentication server, so it is usually used within a secure tunnel technology such as TLS, TTLS, or MS-CHAP.

The FortiAuthenticator unit supports several EAP methods:

Method Server Auth Client Auth Encryption Native OS Support
PEAP (MSCHAPv2) Yes Yes Yes Windows XP, Vista, 7
EAP-TTLS Yes No Yes Windows Vista, 7
EAP-TLS Yes Yes Yes Windows (XP, 7), Mac OS X, iOS, Linux, Android

In addition to providing a channel for user authentication, EAP methods, except EAP-MD5, also provide certificate-based authentication of the server computer. EAP-TLS provides mutual authentication: the client and server authenticate each other using certificates. This is essential for authentication onto an enterprise network in a BYOD environment.

For successful EAP-TLS authentication, the user’s certificate must be bound to their account in Authentication > User Management > Local Users (see Local users) and the relevant RADIUS client in Authentication > RADIUS Service > Clients (see RADIUS service) must permit that user to authenticate. By default, all local users can authenticate, but it is possible to limit authentication to specified user groups.

The FortiAuthenticator unit and EAP

A FortiAuthenticator unit delivers all of the authentication features required for a successful EAP-TLS deployment, including:

FortiAuthenticator unit configuration

To configure the FortiAuthenticator unit, you need to:

  1. Create a CA certificate for the FortiAuthenticator unit. See Certificate authorities.

    2. Optionally, you can skip this step and use an external CA certificate instead. Go to Certificate Management > Certificate Authorities > Trusted CAs to import CA certificates. See Trusted CAs.

  2. Create a server certificate for the FortiAuthenticator unit, using the CA certificate you created or imported in the preceding step. See End entities.
  3. If you configure EAP-TTLS authentication, go to Authentication > RADIUS Service > EAP and configure the certificates for EAP. See Configuring certificates for EAP.
  4. If SCEP will be used:
    1. Configure an SMTP server to be used for sending SCEP notifications. Then configure the email service for the administrator to use the SMTP server that you created. See E-mail services.
    2. Go to Certificate Management > SCEP > General and select Enable SCEP. Then select the CA certificate that you created or imported in Step 1 in the Default CA field and select OK. See SCEP.
  5. Go to Authentication > Remote Auth. Servers > LDAP and add the remote LDAP server that contains your user database. See LDAP.
  6. Import users from the remote LDAP server. You can choose which specific users will be permitted to authenticate. See Remote users.
  7. Go to Authentication > RADIUS Service > Clients to add the FortiGate wireless controller as an authentication client. Be sure to select the type of EAP authentication you intend to use. See RADIUS service.

Configuring certificates for EAP

The FortiAuthenticator unit can authenticate itself to clients with a CA certificate.

  1. Go to Certificate Management > Certificate Authorities > Trusted CAs to import the certificate you will use. See Trusted CAs.
  2. Go to Authentication > RADIUS Service > EAP.
  3. Select the EAP server certificate from the EAP Server Certificate drop-down list.
  4. Select the trusted CAs and local CAs to use for EAP authentication from their requisite lists.
  5. Select OK to apply the settings.

Configuring switches and wireless controllers to use 802.1X authentication

The 802.1X configuration will be largely vendor dependent. The key requirements are:

Chapter: Port-based Network Access Control > EAP

Open topic with navigation