Fortinet black logo

Administration Guide

Extensible Authentication Protocol

Extensible Authentication Protocol

FortiAuthenticator supports several IEEE 802.1X Extensible Authentication Protocol (EAP) methods. These include authentication methods most commonly used in WiFi networks.

EAP is defined in RFC 3748 and updated in RFC 5247. EAP does not include security for the conversation between the client and the authentication server, so it is usually used within a secure tunnel technology such as TLS, TTLS, or MS-CHAP.

FortiAuthenticator supports the following EAP methods:

Method Server Auth Client Auth Encryption Native OS Support
PEAP (MSCHAPv2) Yes Yes Yes Windows XP, Vista, 7, 8, 10
EAP-TTLS Yes No Yes Windows Vista, 7, 8, 10
EAP-TLS Yes Yes Yes Windows (XP, 7, 8, 10), Mac OS X, iOS, Linux, Android
EAP-GTC Yes Yes Yes None (external supplicant required)

In addition to providing a channel for user authentication, EAP methods also provide certificate-based authentication of the server computer. EAP-TLS provides mutual authentication: the client and server authenticate each other using certificates. This is essential for authentication onto an enterprise network in a BYOD environment.

For successful EAP-TLS authentication, the user’s certificate must be bound to their account in Authentication > User Management > Local Users (see Local users) and the relevant RADIUS client in Authentication > RADIUS Service > Clients (see RADIUS service) must permit that user to authenticate. By default, all local users can authenticate, but it is possible to limit authentication to specified user groups.

FortiAuthenticator and EAP

FortiAuthenticator delivers all of the authentication features required for a successful EAP-TLS deployment, including:

  • Certificate Management: Create and revoke certificates as a CA. See Certificate management.
  • Simple Certificate Enrollment Protocol (SCEP) Server: Exchange a certificate signing request (CSR) and the resulting signed certificate, simplifying the process of obtaining a device certificate.

FortiAuthenticator unit configuration

To configure FortiAuthenticator, you need to:

  1. Create a CA certificate for FortiAuthenticator. See Certificate authorities.
  2. Optionally, you can skip this step and use an external CA certificate instead. Go to Certificate Management > Certificate Authorities > Trusted CAs to import CA certificates. See Trusted CAs.

  3. Create a server certificate for FortiAuthenticator, using the CA certificate you created or imported in the preceding step. See End entities.
  4. If you configure EAP-TTLS authentication, go to Authentication > RADIUS Service > EAP and configure the certificates for EAP. See Configuring certificates for EAP.
  5. If SCEP will be used:
    • Configure an SMTP server for sending SCEP notifications. Then configure the email service for the administrator to use the SMTP server that you created. See Email services.
    • Go to Certificate Management > SCEP > General, select Enable SCEP, select the CA certificate that you created or imported in Step 1 in the Default CA field, and select OK. See SCEP.
  6. Go to Authentication > Remote Auth. Servers > LDAP and add the remote LDAP server that contains your user database. See LDAP.
  7. Import users from the remote LDAP server. You can choose which specific users are permitted to authenticate. See Remote users.
  8. Go to Authentication > RADIUS Service > Clients to add the FortiGate wireless controller as an authentication client. Be sure to select the type of EAP authentication you intend to use. See RADIUS service.

Configuring certificates for EAP

FortiAuthenticator can authenticate itself to clients with a CA certificate.

  1. Go to Certificate Management > Certificate Authorities > Trusted CAs to import the certificate you will use. See Trusted CAs.
  2. Go to Authentication > RADIUS Service > EAP.
  3. Select the EAP server certificate from the EAP Server Certificate dropdown menu.
  4. Select the trusted CAs and local CAs to use for EAP authentication from their requisite lists.
  5. Select OK to apply the settings.

Configuring switches and wireless controllers to use 802.1X authentication

The 802.1X configuration is largely vendor dependent. The key requirements are:

  • RADIUS server IP: This is the IP address of the FortiAuthenticator.
  • Key: The pre-shared secret configured in the FortiAuthenticator authentication client settings.
  • Authentication port: By default, FortiAuthenticator listens for authentication requests on port 1812.

Extensible Authentication Protocol

FortiAuthenticator supports several IEEE 802.1X Extensible Authentication Protocol (EAP) methods. These include authentication methods most commonly used in WiFi networks.

EAP is defined in RFC 3748 and updated in RFC 5247. EAP does not include security for the conversation between the client and the authentication server, so it is usually used within a secure tunnel technology such as TLS, TTLS, or MS-CHAP.

FortiAuthenticator supports the following EAP methods:

Method Server Auth Client Auth Encryption Native OS Support
PEAP (MSCHAPv2) Yes Yes Yes Windows XP, Vista, 7, 8, 10
EAP-TTLS Yes No Yes Windows Vista, 7, 8, 10
EAP-TLS Yes Yes Yes Windows (XP, 7, 8, 10), Mac OS X, iOS, Linux, Android
EAP-GTC Yes Yes Yes None (external supplicant required)

In addition to providing a channel for user authentication, EAP methods also provide certificate-based authentication of the server computer. EAP-TLS provides mutual authentication: the client and server authenticate each other using certificates. This is essential for authentication onto an enterprise network in a BYOD environment.

For successful EAP-TLS authentication, the user’s certificate must be bound to their account in Authentication > User Management > Local Users (see Local users) and the relevant RADIUS client in Authentication > RADIUS Service > Clients (see RADIUS service) must permit that user to authenticate. By default, all local users can authenticate, but it is possible to limit authentication to specified user groups.

FortiAuthenticator and EAP

FortiAuthenticator delivers all of the authentication features required for a successful EAP-TLS deployment, including:

  • Certificate Management: Create and revoke certificates as a CA. See Certificate management.
  • Simple Certificate Enrollment Protocol (SCEP) Server: Exchange a certificate signing request (CSR) and the resulting signed certificate, simplifying the process of obtaining a device certificate.

FortiAuthenticator unit configuration

To configure FortiAuthenticator, you need to:

  1. Create a CA certificate for FortiAuthenticator. See Certificate authorities.
  2. Optionally, you can skip this step and use an external CA certificate instead. Go to Certificate Management > Certificate Authorities > Trusted CAs to import CA certificates. See Trusted CAs.

  3. Create a server certificate for FortiAuthenticator, using the CA certificate you created or imported in the preceding step. See End entities.
  4. If you configure EAP-TTLS authentication, go to Authentication > RADIUS Service > EAP and configure the certificates for EAP. See Configuring certificates for EAP.
  5. If SCEP will be used:
    • Configure an SMTP server for sending SCEP notifications. Then configure the email service for the administrator to use the SMTP server that you created. See Email services.
    • Go to Certificate Management > SCEP > General, select Enable SCEP, select the CA certificate that you created or imported in Step 1 in the Default CA field, and select OK. See SCEP.
  6. Go to Authentication > Remote Auth. Servers > LDAP and add the remote LDAP server that contains your user database. See LDAP.
  7. Import users from the remote LDAP server. You can choose which specific users are permitted to authenticate. See Remote users.
  8. Go to Authentication > RADIUS Service > Clients to add the FortiGate wireless controller as an authentication client. Be sure to select the type of EAP authentication you intend to use. See RADIUS service.

Configuring certificates for EAP

FortiAuthenticator can authenticate itself to clients with a CA certificate.

  1. Go to Certificate Management > Certificate Authorities > Trusted CAs to import the certificate you will use. See Trusted CAs.
  2. Go to Authentication > RADIUS Service > EAP.
  3. Select the EAP server certificate from the EAP Server Certificate dropdown menu.
  4. Select the trusted CAs and local CAs to use for EAP authentication from their requisite lists.
  5. Select OK to apply the settings.

Configuring switches and wireless controllers to use 802.1X authentication

The 802.1X configuration is largely vendor dependent. The key requirements are:

  • RADIUS server IP: This is the IP address of the FortiAuthenticator.
  • Key: The pre-shared secret configured in the FortiAuthenticator authentication client settings.
  • Authentication port: By default, FortiAuthenticator listens for authentication requests on port 1812.