Description
Scope
Possibly Affected Products:
Any FortiGate Model running FortiOS 5.6 version or lower.
FortiWifi using internal Wifi and FortiGate/FortiWifi devices configured as Wireless controllers and managing FortiAP(s) as long as the users are configured to authenticate using WPA2 Enterprise with local users.
Solution
There are several options to prevent the certificate expiry from occurring.
Option 1: Create a new certificate
This article describes how to install a new certificate when Fortinet_Wifi certificate is expired.
FortiOS built in certificate Fortinet_Wifi will expire on May 24, 2019. This can lead to an issue related to wireless authentication when they are expired if the device is running FortiOS 5.6 or lower versions of software.
This may impact all FortiGate and FortiWifi devices using SSID’s with WPA2 Enterprise authentication and with local user groups configured to authenticate such WiFi.
SSID configuration example:
From the GUI
From the CLI:
Fortinet_Wifi# get system statusCertificate validity can be checked from GUI providing the option is enabled:
Version: FortiWiFi-61E v5.6.9,build1673,190513 (GA)
Fortinet_Wifi# show wireless-controller vap wifi
config wireless-controller vap
edit "wifi"
set vdom "root"
set ssid "CertTest-WPA2"
set security wpa2-only-enterprise
set auth usergroup
set usergroup "LOCALS"
set schedule "always"
next
end
Fortinet_Wifi# show user group LOCALS
config user group
edit "LOCALS"
set member "userlocal"
next
end
Fortinet_Wifi# show user local userlocal
config user local
edit "userlocal"
set type password
set passwd-time 2019-05-19 06:51:10
set passwd ENC
AmbnT416FswGb1me/sdLbivJ+oCg1QGmrLJToQVJEPJGbdIp8cx8Oheg7/j4UXVh4LFRS6viSbJfY93zKOUybUi1GQIJN9Sk4DDJnlu406kygucIu7HW2jRPfBquQV6L8MIRLf5ZHUt25YoaQ0cP+zfJOO7BWCAzgxI6gJR+BNVFBYG8aeWPCpHm+P3sG2K1OD5WEg==
next
end
System → Certificates → Fortinet_Wifi
Any FortiGate with “Fortinet_Wifi” certificate showing an expiry date of 2019-05-24 could be impacted.
Scope
Possibly Affected Products:
Any FortiGate Model running FortiOS 5.6 version or lower.
FortiWifi using internal Wifi and FortiGate/FortiWifi devices configured as Wireless controllers and managing FortiAP(s) as long as the users are configured to authenticate using WPA2 Enterprise with local users.
Solution
There are several options to prevent the certificate expiry from occurring.
Option 1: Create a new certificate
1) Create a new certificate as shown in the example below.
Then have the certificate signed as intermediate non-signing CA by your own CA or a 3rd party CA.
Further details can be found on the Fortinet documentation site here.
Option 2: Upgrade to the latest FortiOS firmware
Starting with FortiOS 6.0.1, the “Fortinet_Wifi” certificate is updated periodically and automatically through FortiGuard.
Technical Support Contact Information can be found here.
Fortinet Technical Support home page can be found here.
Fortinet Technical Support home page can be found here.
