Fortinet black logo

User Guide

Home FortiGuest 1.1.0 User Guide
1.1.0
1.2.0
1.1.0
1.0.0

SCEP Servers and Local Certificate Authorities

SCEP Servers and Local Certificate Authorities

FortiGuest allows distribution of certificates to devices when they are authenticated onto the network. This is achieved in the following methods.

  • You can generate user certificates on an external server like MS Active Directory and then add an entry in Smart Connect > SCEP Servers.

  • You can also generate certificates internally on the FortiGuest in Smart Connect > Local Certificate Authorities.

  • You can manually upload certificates while configuring the authentication policy. See RadSec Authentication.

When a network user requests a Smart Connect profile, then a user certificate is generated, this is achieved by selecting EAP-TLS as an EAP type in a Smart Connect profile. You can add an SCEP Server and generate certificates internally using the Local Certificate authorities.

Adding the SCEP Server

Navigate to Smart Connect > SCEP Servers and configure the following parameters to add an SCEP server.

  1. Enter the Name of the SCEP Server.

  2. Enter the URL of the SCEP Server (HTTP only)

  3. Enter a Challenge Password that is required when connecting to NDES on a Windows server. If the password is not specified then the user's current password is used when generating the client certificate.

  4. Enter the Key Size.

  5. Enter the OCSP URL to send an OCSP request for validating user certificates when authenticating.

Local Certificate Authorities

Navigate to Smart Connect > Local Certificate Authorities configure the following parameters to generate certificates internally.

  • Common Name - This is either the IP address of FortiGuest or the fully qualified domain name (FQDN) for FortiGuest. The FQDN must resolve correctly in DNS.

  • Organization - The name of your organization or company.

  • Organizational Unit (Section) - The name of the department or business unit that owns the device.

  • Locality (e.g. City) - The city where the server is located.

  • State or Province - The state where the server is located.

  • Country - Select the relevant country.

  • Maximum Lifetime in Days- The maximum lifetime of any generated certificate in days.

  • Private Key Size (bits) - The minimum size of the private key to generate. The minimum size is 512 bits.
Previous
Next

SCEP Servers and Local Certificate Authorities

FortiGuest allows distribution of certificates to devices when they are authenticated onto the network. This is achieved in the following methods.

  • You can generate user certificates on an external server like MS Active Directory and then add an entry in Smart Connect > SCEP Servers.

  • You can also generate certificates internally on the FortiGuest in Smart Connect > Local Certificate Authorities.

  • You can manually upload certificates while configuring the authentication policy. See RadSec Authentication.

When a network user requests a Smart Connect profile, then a user certificate is generated, this is achieved by selecting EAP-TLS as an EAP type in a Smart Connect profile. You can add an SCEP Server and generate certificates internally using the Local Certificate authorities.

Adding the SCEP Server

Navigate to Smart Connect > SCEP Servers and configure the following parameters to add an SCEP server.

  1. Enter the Name of the SCEP Server.

  2. Enter the URL of the SCEP Server (HTTP only)

  3. Enter a Challenge Password that is required when connecting to NDES on a Windows server. If the password is not specified then the user's current password is used when generating the client certificate.

  4. Enter the Key Size.

  5. Enter the OCSP URL to send an OCSP request for validating user certificates when authenticating.

Local Certificate Authorities

Navigate to Smart Connect > Local Certificate Authorities configure the following parameters to generate certificates internally.

  • Common Name - This is either the IP address of FortiGuest or the fully qualified domain name (FQDN) for FortiGuest. The FQDN must resolve correctly in DNS.

  • Organization - The name of your organization or company.

  • Organizational Unit (Section) - The name of the department or business unit that owns the device.

  • Locality (e.g. City) - The city where the server is located.

  • State or Province - The state where the server is located.

  • Country - Select the relevant country.

  • Maximum Lifetime in Days- The maximum lifetime of any generated certificate in days.

  • Private Key Size (bits) - The minimum size of the private key to generate. The minimum size is 512 bits.
Previous
Next