Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Home FortiAP / FortiWiFi 7.4.2 FortiWiFi and FortiAP Configuration Guide
7.4.2
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.1
7.2.0
7.0.4
7.0.2
7.0.1
7.0.0
6.4.6
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.2
6.2.0
6.0.5
6.0.4
6.0.3
5.6.4
5.4.3

Enabling EAP/TLS authentication on a FortiWiFi unit in client mode

Enabling EAP/TLS authentication on a FortiWiFi unit in client mode

FortiWiFi 80F/60F/40F series models operating in wireless client mode can be configured to use EAP/TLS authentication. This allows the FortiWiFi local radio to connect with a WPA2/WPA3-Enterprise SSID and support PEAP and EAP-TLS authentication methods.

EAP/TLS authentication can be configured with the wpa-enterprise CLI option for the wifi-security setting under wifi-network configuration.

config wifi-networks
  edit < ID >
    set wifi-security wpa-enterprise
    set wifi-eap-type [both | tls | peap]
    set wifi-username < username >
    set wifi-client-certificate < client_cert_name >
    set wifi-private-key < client_cert_name >
  next
end

When wifi-security is set to wpa-enterprise, the local radio can recognize the security mode of third-party SSIDs and automatically adapt when connecting. These security modes include WPA2-Only-Enterprise, WPA3-Only-Enterprise, WPA3-Enterprise with 192-bit encryption, and etc.

When connecting to a WPA2/WPA3-Enterprise SSID via EAP-TLS, users must also configure the WiFi username, client certificate, private key settings, and etc as applicable.

To configure FortiWiFi to run in client mode and support EAP/TLS:

  1. Change the wireless mode to client. See Configuring a FortiWiFi unit as a wireless client.

  2. Set the wifi-security mode to wpa-enterprise.

    config system interface
  edit "wifi"
    config wifi-networks
      edit 1
        set wifi-ssid "FOS_101F_WPA2_ENT_PEAP"
        set wifi-security wpa-enterprise
        ...

  3. After setting wpa-enterprise, configure the following as needed:

    wifi-eap-type

    Select a WPA2/WPA3-ENTERPRISE EAP method.

    • PEAP - wifi-username and wifi-passphrase should be set as the user account's name and password.
    • TLS - The client certificate should be specified by following settings:

      • wifi-client-certificate

      • wifi-private-key

      • wifi-private-key-password:

    wifi-username

    Username for WPA2/WPA3-ENTERPRISE.

    wifi-client-certificate

    Client certificate for WPA2/WPA3-ENTERPRISE.

    wifi-private-key

    Private key for WPA2/WPA3-ENTERPRISE.

    wifi-private-key-password

    Password for private key file for WPA2/WPA3-ENTERPRISE.

    wifi-ca-certificate

    CA certificate for WPA2/WPA3-ENTERPRISE.
Example Use Case - WPA2-Only-Enterprise SSID using the EAP-PEAP

The following example configures the local radio to connect to a WPA2-Only-Enterprise SSID using the EAP-PEAP authentication method.

  1. Upload the CA certificate to verify the server certificate from the 3rd-party SSID.

    Note

    The CA certificate verification is an optional setting, users can decide whether to verify the server certificate by changing wifi-ca-certificate setting. To upload the CA certificate to FortiGate, log into the GUI and go to System > Certificates. Click Create/Import > CA Certificate, and follow the onscreen instructions to import the CA certificate.

  2. Configure the wifi-network entry:

    config system interface
  edit "wifi"
    config wifi-networks
      edit 1
        set wifi-ssid "FOS_101F_WPA2_ENT_PEAP"
        set wifi-security wpa-enterprise
        set wifi-eap-type peap
        set wifi-username "tester"
        set wifi-passphrase *
        set wifi-ca-certificate "CA_Cert_1"     <---This is an optional setting. "CA_Cert_1" is the imported CA certificate
      next
    end
  next
end

  3. Check the connection status:

    FortiWiFi-81F-2R-POE # diagnose wireless-controller wlsta cfg
STA intf        name: wlan17
              status: up
                  ip: 10.4.1.2
                 mac: d4:76:a0:18:e0:8f
        auto connect: yes
           auto save: no
             ap band: any
    wifi network cnt: 1
                   1: FOS_101F_WPA2_ENT_PEAP, 16, 1
           connected: FOS_101F_WPA2_ENT_PEAP
Example Use Case - WPA3-Only-Enterprise SSID using EAP-TLS

The following example configures the local radio to connect to a WPA3-Only-Enterprise SSID using EAP-TLS authentication method.

  1. Upload the CA certificate to verify the server certificate from the 3rd-party SSID.

    Note

    The CA certificate verification is an optional setting, users can decide whether to verify the server certificate by changing wifi-ca-certificate setting. To upload the CA certificate to FortiGate, log into the GUI and go to System > Certificates. Click Create/Import > CA Certificate, and follow the onscreen instructions to import the CA certificate.

  2. Upload the client certificate (with private key file), which will be sent to the 3rd-party SSID side for verification and authentication.

    1. To upload the client certificate with private key file to FortiGate, log into the GUI and go to System > Certificates.

    2. Click Create/Import > Certificate

    3. Click Import Certificate, select PKCS #12 Certificate or Certificate, and then follow the onscreen instructions to import the client certificate with private key file.

  3. Configure the wifi-network entry:

    config system interface
  edit "wifi"
    config wifi-networks
      edit 2
        set wifi-ssid "FOS_101F_WPA3_ENT_TLS"
        set wifi-security wpa-enterprise
        set wifi-eap-type tls
        set wifi-username "81F-client"   
        set wifi-client-certificate "client-cert"     <----"client-cert" is the name of imported client certificate
        set wifi-private-key "client-cert"          <---It uses the same name of imported client certificate
        set wifi-private-key-password *
        set wifi-ca-certificate "CA_Cert_1"     <---This is an optional setting. "CA_Cert_1" is the imported CA certificate
      next
    end
  next
end
    Note
    • wifi-username is the "identity" of the client-mode local radio during EAP-TLS authentication.
    • wifi-private-key-password is the password created when importing the client certificate on the FortiWiFi.

  4. Check the connection status:

    FortiWiFi-81F-2R-POE # diagnose wireless-controller wlsta cfg
STA intf        name: wlan07
              status: up
                  ip: 10.30.80.2
                 mac: d4:76:a0:18:e0:87
        auto connect: yes
           auto save: no
             ap band: any
    wifi network cnt: 1
                   1: FOS_101F_WPA3_ENT_TLS, 16, 1
           connected: FOS_101F_WPA3_ENT_TLS
Previous
Next

Enabling EAP/TLS authentication on a FortiWiFi unit in client mode

FortiWiFi 80F/60F/40F series models operating in wireless client mode can be configured to use EAP/TLS authentication. This allows the FortiWiFi local radio to connect with a WPA2/WPA3-Enterprise SSID and support PEAP and EAP-TLS authentication methods.

EAP/TLS authentication can be configured with the wpa-enterprise CLI option for the wifi-security setting under wifi-network configuration.

config wifi-networks
  edit < ID >
    set wifi-security wpa-enterprise
    set wifi-eap-type [both | tls | peap]
    set wifi-username < username >
    set wifi-client-certificate < client_cert_name >
    set wifi-private-key < client_cert_name >
  next
end

When wifi-security is set to wpa-enterprise, the local radio can recognize the security mode of third-party SSIDs and automatically adapt when connecting. These security modes include WPA2-Only-Enterprise, WPA3-Only-Enterprise, WPA3-Enterprise with 192-bit encryption, and etc.

When connecting to a WPA2/WPA3-Enterprise SSID via EAP-TLS, users must also configure the WiFi username, client certificate, private key settings, and etc as applicable.

To configure FortiWiFi to run in client mode and support EAP/TLS:

  1. Change the wireless mode to client. See Configuring a FortiWiFi unit as a wireless client.

  2. Set the wifi-security mode to wpa-enterprise.

    config system interface
  edit "wifi"
    config wifi-networks
      edit 1
        set wifi-ssid "FOS_101F_WPA2_ENT_PEAP"
        set wifi-security wpa-enterprise
        ...

  3. After setting wpa-enterprise, configure the following as needed:

    wifi-eap-type

    Select a WPA2/WPA3-ENTERPRISE EAP method.

    • PEAP - wifi-username and wifi-passphrase should be set as the user account's name and password.
    • TLS - The client certificate should be specified by following settings:

      • wifi-client-certificate

      • wifi-private-key

      • wifi-private-key-password:

    wifi-username

    Username for WPA2/WPA3-ENTERPRISE.

    wifi-client-certificate

    Client certificate for WPA2/WPA3-ENTERPRISE.

    wifi-private-key

    Private key for WPA2/WPA3-ENTERPRISE.

    wifi-private-key-password

    Password for private key file for WPA2/WPA3-ENTERPRISE.

    wifi-ca-certificate

    CA certificate for WPA2/WPA3-ENTERPRISE.
Example Use Case - WPA2-Only-Enterprise SSID using the EAP-PEAP

The following example configures the local radio to connect to a WPA2-Only-Enterprise SSID using the EAP-PEAP authentication method.

  1. Upload the CA certificate to verify the server certificate from the 3rd-party SSID.

    Note

    The CA certificate verification is an optional setting, users can decide whether to verify the server certificate by changing wifi-ca-certificate setting. To upload the CA certificate to FortiGate, log into the GUI and go to System > Certificates. Click Create/Import > CA Certificate, and follow the onscreen instructions to import the CA certificate.

  2. Configure the wifi-network entry:

    config system interface
  edit "wifi"
    config wifi-networks
      edit 1
        set wifi-ssid "FOS_101F_WPA2_ENT_PEAP"
        set wifi-security wpa-enterprise
        set wifi-eap-type peap
        set wifi-username "tester"
        set wifi-passphrase *
        set wifi-ca-certificate "CA_Cert_1"     <---This is an optional setting. "CA_Cert_1" is the imported CA certificate
      next
    end
  next
end

  3. Check the connection status:

    FortiWiFi-81F-2R-POE # diagnose wireless-controller wlsta cfg
STA intf        name: wlan17
              status: up
                  ip: 10.4.1.2
                 mac: d4:76:a0:18:e0:8f
        auto connect: yes
           auto save: no
             ap band: any
    wifi network cnt: 1
                   1: FOS_101F_WPA2_ENT_PEAP, 16, 1
           connected: FOS_101F_WPA2_ENT_PEAP
Example Use Case - WPA3-Only-Enterprise SSID using EAP-TLS

The following example configures the local radio to connect to a WPA3-Only-Enterprise SSID using EAP-TLS authentication method.

  1. Upload the CA certificate to verify the server certificate from the 3rd-party SSID.

    Note

    The CA certificate verification is an optional setting, users can decide whether to verify the server certificate by changing wifi-ca-certificate setting. To upload the CA certificate to FortiGate, log into the GUI and go to System > Certificates. Click Create/Import > CA Certificate, and follow the onscreen instructions to import the CA certificate.

  2. Upload the client certificate (with private key file), which will be sent to the 3rd-party SSID side for verification and authentication.

    1. To upload the client certificate with private key file to FortiGate, log into the GUI and go to System > Certificates.

    2. Click Create/Import > Certificate

    3. Click Import Certificate, select PKCS #12 Certificate or Certificate, and then follow the onscreen instructions to import the client certificate with private key file.

  3. Configure the wifi-network entry:

    config system interface
  edit "wifi"
    config wifi-networks
      edit 2
        set wifi-ssid "FOS_101F_WPA3_ENT_TLS"
        set wifi-security wpa-enterprise
        set wifi-eap-type tls
        set wifi-username "81F-client"   
        set wifi-client-certificate "client-cert"     <----"client-cert" is the name of imported client certificate
        set wifi-private-key "client-cert"          <---It uses the same name of imported client certificate
        set wifi-private-key-password *
        set wifi-ca-certificate "CA_Cert_1"     <---This is an optional setting. "CA_Cert_1" is the imported CA certificate
      next
    end
  next
end
    Note
    • wifi-username is the "identity" of the client-mode local radio during EAP-TLS authentication.
    • wifi-private-key-password is the password created when importing the client certificate on the FortiWiFi.

  4. Check the connection status:

    FortiWiFi-81F-2R-POE # diagnose wireless-controller wlsta cfg
STA intf        name: wlan07
              status: up
                  ip: 10.30.80.2
                 mac: d4:76:a0:18:e0:87
        auto connect: yes
           auto save: no
             ap band: any
    wifi network cnt: 1
                   1: FOS_101F_WPA3_ENT_TLS, 16, 1
           connected: FOS_101F_WPA3_ENT_TLS
Previous
Next