Enabling EAP/TLS authentication on a FortiWiFi unit in client mode
FortiWiFi 80F/60F/40F series models operating in wireless client mode can be configured to use EAP/TLS authentication. This allows the FortiWiFi local radio to connect with a WPA2/WPA3-Enterprise SSID and support PEAP and EAP-TLS authentication methods.
EAP/TLS authentication can be configured with the wpa-enterprise
CLI option for the wifi-security
setting under wifi-network
configuration.
config wifi-networks edit < ID > set wifi-security wpa-enterprise set wifi-eap-type [both | tls | peap] set wifi-username < username > set wifi-client-certificate < client_cert_name > set wifi-private-key < client_cert_name > next end
When wifi-security
is set to wpa-enterprise
, the local radio can recognize the security mode of third-party SSIDs and automatically adapt when connecting. These security modes include WPA2-Only-Enterprise, WPA3-Only-Enterprise, WPA3-Enterprise with 192-bit encryption, and etc.
When connecting to a WPA2/WPA3-Enterprise SSID via EAP-TLS, users must also configure the WiFi username, client certificate, private key settings, and etc as applicable.
To configure FortiWiFi to run in client mode and support EAP/TLS:
-
Change the wireless mode to client. See Configuring a FortiWiFi unit as a wireless client.
-
Set the
wifi-security
mode towpa-enterprise
.config system interface edit "wifi" config wifi-networks edit 1 set wifi-ssid "FOS_101F_WPA2_ENT_PEAP" set wifi-security wpa-enterprise ...
-
After setting
wpa-enterprise
, configure the following as needed:wifi-eap-type
Select a WPA2/WPA3-ENTERPRISE EAP method.
PEAP
-wifi-username
and wifi-passphrase should be set as the user account's name and password.TLS
- The client certificate should be specified by following settings:wifi-client-certificate
wifi-private-key
wifi-private-key-password:
wifi-username
Username for WPA2/WPA3-ENTERPRISE.
wifi-client-certificate
Client certificate for WPA2/WPA3-ENTERPRISE.
wifi-private-key
Private key for WPA2/WPA3-ENTERPRISE.
wifi-private-key-password
Password for private key file for WPA2/WPA3-ENTERPRISE.
wifi-ca-certificate
CA certificate for WPA2/WPA3-ENTERPRISE.
Example Use Case - WPA2-Only-Enterprise SSID using the EAP-PEAP
The following example configures the local radio to connect to a WPA2-Only-Enterprise SSID using the EAP-PEAP authentication method.
-
Upload the CA certificate to verify the server certificate from the 3rd-party SSID.
The CA certificate verification is an optional setting, users can decide whether to verify the server certificate by changing
wifi-ca-certificate
setting. To upload the CA certificate to FortiGate, log into the GUI and go to System > Certificates. Click Create/Import > CA Certificate, and follow the onscreen instructions to import the CA certificate. -
Configure the
wifi-network
entry:config system interface edit "wifi" config wifi-networks edit 1 set wifi-ssid "FOS_101F_WPA2_ENT_PEAP" set wifi-security wpa-enterprise set wifi-eap-type peap set wifi-username "tester" set wifi-passphrase * set wifi-ca-certificate "CA_Cert_1" <---This is an optional setting. "CA_Cert_1" is the imported CA certificate next end next end
-
Check the connection status:
FortiWiFi-81F-2R-POE # diagnose wireless-controller wlsta cfg STA intf name: wlan17 status: up ip: 10.4.1.2 mac: d4:76:a0:18:e0:8f auto connect: yes auto save: no ap band: any wifi network cnt: 1 1: FOS_101F_WPA2_ENT_PEAP, 16, 1 connected: FOS_101F_WPA2_ENT_PEAP
Example Use Case - WPA3-Only-Enterprise SSID using EAP-TLS
The following example configures the local radio to connect to a WPA3-Only-Enterprise SSID using EAP-TLS authentication method.
-
Upload the CA certificate to verify the server certificate from the 3rd-party SSID.
The CA certificate verification is an optional setting, users can decide whether to verify the server certificate by changing
wifi-ca-certificate
setting. To upload the CA certificate to FortiGate, log into the GUI and go to System > Certificates. Click Create/Import > CA Certificate, and follow the onscreen instructions to import the CA certificate. -
Upload the client certificate (with private key file), which will be sent to the 3rd-party SSID side for verification and authentication.
-
To upload the client certificate with private key file to FortiGate, log into the GUI and go to System > Certificates.
-
Click Create/Import > Certificate
-
Click Import Certificate, select PKCS #12 Certificate or Certificate, and then follow the onscreen instructions to import the client certificate with private key file.
-
-
Configure the
wifi-network
entry:config system interface edit "wifi" config wifi-networks edit 2 set wifi-ssid "FOS_101F_WPA3_ENT_TLS" set wifi-security wpa-enterprise set wifi-eap-type tls set wifi-username "81F-client" set wifi-client-certificate "client-cert" <----"client-cert" is the name of imported client certificate set wifi-private-key "client-cert" <---It uses the same name of imported client certificate set wifi-private-key-password * set wifi-ca-certificate "CA_Cert_1" <---This is an optional setting. "CA_Cert_1" is the imported CA certificate next end next end
wifi-username
is the "identity" of the client-mode local radio during EAP-TLS authentication.wifi-private-key-password
is the password created when importing the client certificate on the FortiWiFi.
-
Check the connection status:
FortiWiFi-81F-2R-POE # diagnose wireless-controller wlsta cfg STA intf name: wlan07 status: up ip: 10.30.80.2 mac: d4:76:a0:18:e0:87 auto connect: yes auto save: no ap band: any wifi network cnt: 1 1: FOS_101F_WPA3_ENT_TLS, 16, 1 connected: FOS_101F_WPA3_ENT_TLS