Purpose
Scope
Diagram
Expectations, Requirements
Configuration
Verification
Troubleshooting
This document discusses the Extensible Authentication Protocol Transport Layer Security (EAP-TLS) authentication protocol deployment in wireless networks. It introduces the EAP-TLS architecture and discusses deployment steps.
Scope
Authenticated wireless access design based on Extensible Authentication Protocol – Transport Level Security (EAP-TLS) can use either smart cards or user and computer certificates to authenticate wireless access clients. EAP-TLS provides stronger security than secure password authentication that is based on user credentials (user name and password) to authenticate wireless access clients.
Diagram
Expectations, Requirements
Ability to achieve a secure reliable and convenient environment for the end user as they do not need to enter any username or password.
Configuration
- Server side configuration
Configure the radius client on the server:
Connection request Policy “Overview”:
Configure the connection request Policy conditions:
Configure the connection request Policy Settings
Network policies Overview:
Configure the connection Networks Policy Conditions
Configure the Networks Policy Constraints
Configure the Networks Policy settings:
Configure the Networks Policy VSA (vendor ID 12356)
- FortiGate :
Configure
the radius server on the
FortiGate
Test
the connection (be aware that you are testing radius connectivity and
not the
user authentication so you can type
anything)
As you can see you may have a success but in the event log of the server you can also see an authentication failure which will also result on a success window on FortiGate as this is only radius connectivity validation
Configure Wireless SSID (one ”secure_cert_srv_access” wpa2_psk or wpa_PEAP ent for secure access to the certificate server and one “EAP TLS” secure access)
Allow the connection from wireless to the remote cert server using the FortiGate Policies:
Create the EAP-TLS Policy. Here you can also use as a source the eaptls group that is sent by the server through the VSA.
Connect the client to the “secure_cert_srv_access” SSID
Connect to your certificate authority using the username credential and use the following process for User cert and ROOT CA download and install.
http://<ip of the cert srv>/certsrv
http://10.5.57.106/certsrv in the this example
On the FortiGate you will see the user logged in
Wireless Client Monitor
Alternative way of cert deployment
In some cases the import of the user certificate might not work properly
If not, it is advised to generate the certificate on a PC and export it to the smartphone
First open Firefox browser (advices one for the external cert repository)
Click to select user certificate
Select the Grade of the certificate.
Personal certificate installation confirmation
Go inside the cert repository and export the newly installed certificate
Export password
Inject the certificate in the SD of the smartphone
Select the file manager app in your smartphone
certificate install success
Select the name of the certificate and the usage
Verification
A successful connection verification can be seen using the CLI:
# diagnose wireless-controller wlac -d sta
vf=0 wtp=2 rId=2 wlan=EAP_TLS vlan_id=0 ip=2.3.4.7 mac=x:y:z:a:b:c:d vci= host=iPhone user=wifi@bond.wifilab.net group=eaptlsgrp signal=-48 noise=-95 idle=18 bw=0 use=4 chan=60 radio_type=11AC security=wpa2_only_enterprise encrypt=aes cp_authed=no online=yes mimo=2
Troubleshooting
If there are issues they are most likely to be on the server side.
The starting point may be to reinstall the Network policies as well as the Connection request policies. The following article from Microsoft may be of help https://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx
The starting point may be to reinstall the Network policies as well as the Connection request policies. The following article from Microsoft may be of help https://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx
