Port-based Network Access Control
Port-based Network Access Control (PNAC), or 802.1X, authentication requires a client, an authenticator, and an authentication server (such as a FortiAuthenticator device).
The client is a device that wants to connect to the network. The authenticator is simply a network device, such as a wireless access point or switch. The authentication server is usually a host that supports the RADIUS and EAP protocols.
The client is not allowed access to the network until the client’s identity has been validated and authorized. Using 802.1X authentication, the client provides credentials to the authenticator, which the authenticator forwards to the authentication server for verification. If the authentication server determines that the credentials are valid, the client device is allowed access to the network.
FortiAuthenticator supports several IEEE 802.1X EAP methods.
EAP
The FortiAuthenticator unit supports several IEEE 802.1X EAP methods. These include authentication methods most commonly used in WiFi networks.
EAP is defined in RFC 3748 and updated in RFC 5247. EAP does not include security for the conversation between the client and the authentication server, so it is usually used within a secure tunnel technology such as TLS, TTLS, or MS-CHAP.
The FortiAuthenticator unit supports the following EAP methods:
Method |
Server Auth |
Client Auth |
Encryption |
Native OS Support |
PEAP (MSCHAPv2) |
Yes |
Yes |
Yes |
Windows XP, Vista, 7 |
EAP-TTLS |
Yes |
No |
Yes |
Windows Vista, 7 |
EAP-TLS |
Yes |
Yes |
Yes |
Windows (XP, 7), Mac OS X, iOS,
Linux, Android |
EAP-GTC |
Yes |
Yes |
Yes |
None (external supplicant required) |
In addition to providing a channel for user authentication, EAP methods also provide certificate-based authentication of the server computer. EAP-TLS provides mutual authentication: the client and server authenticate each other using certificates. This is essential for authentication onto an enterprise network in a BYOD environment.
For successful EAP-TLS authentication, the user’s certificate must be bound to their account in Authentication >
UserManagement > Local Users (see Local users on page 58) and the relevant RADIUS client in Authentication > RADIUS Service > Clients (see RADIUS service on page 91) must permit that user to authenticate. By default, all local users can authenticate, but it is possible to limit authentication to specified user groups.
Port-based Network Access Control EAP
The FortiAuthenticator unit and EAP
A FortiAuthenticator unit delivers all of the authentication features required for a successful EAP-TLS deployment, including:
- Certificate Management: create and revoke certificates as a CA. See Certificate Management on page 132.
- Simple Certificate Enrollment Protocol (SCEP) Server: exchange a Certificate Signing Request (CSR) and the resulting signed certificate, simplifying the process of obtaining a device certificate.
FortiAuthenticator unit configuration
To configure the FortiAuthenticator unit, you need to:
- Create a CA certificate for the FortiAuthenticator unit. See Certificate authorities on page 140.
Optionally, you can skip this step and use an external CA certificate instead. Go to Certificate Management > Certificate Authorities > Trusted CAs to import CA certificates. See Trusted CAs on page 147.
- Create a server certificate for the FortiAuthenticator unit, using the CA certificate you created or imported in the preceding step. See End entities on page 133.
- If you configure EAP-TTLS authentication, go to Authentication > RADIUS Service > EAP and configure the certificates for EAP. See Configuring certificates for EAP on page 102.
- If SCEP will be used:
- Configure an SMTP server to be used for sending SCEP notifications. Then configure the email service for the administrator to use the SMTP server that you created. See E-mail services on page 46.
- Go to Certificate Management > SCEP > General and select Enable SCEP. Then select the CA certificate that you created or imported in Step 1 in the Default CA field and select OK. See SCEP on page 147.
- Go to Authentication > Remote Auth. Servers > LDAP and add the remote LDAP server that contains your user database. See LDAP on page 88.
- Import users from the remote LDAP server. You can choose which specific users will be permitted to authenticate. See Remote users on page 65.
- Go to Authentication > RADIUS Service > Clients to add the FortiGate wireless controller as an authentication client. Be sure to select the type of EAP authentication you intend to use. See RADIUS service on page 91.
Configuring certificates for EAP
The FortiAuthenticator unit can authenticate itself to clients with a CA certificate.
- Go to Certificate Management > Certificate Authorities > Trusted CAs to import the certificate you will use. See Trusted CAs on page 147.
- Go to Authentication > RADIUS Service > EAP.
- Select the EAP server certificate from the EAP ServerCertificate drop-down list.
- Select the trusted CAs and local CAs to use for EAP authentication from their requisite lists.
- Select OK to apply the settings.
Configuring switches and wireless controllers to use 802.1X authentication
The 802.1X configuration will be largely vendor dependent. The key requirements are:
Device self-enrollment Port-based Network Access Control
l RADIUS Server IP: This is the IP address of the FortiAuthenticator l Key: The preshared secret configured in the FortiAuthenticator authentication client settings l Authentication Port: By default, FortiAuthenticator listens for authentication requests on port 1812.
Device self-enrollment
Device certificate self-enrollment is a method for local and remote users to obtain certificates for their devices. It is primarily used in enabling EAP-TLS for BYOD. For example:
l A user brings their tablet to a BYOD organization. l They log in to the FortiAuthenticator unit and create a certificate for the device. l With their certificate, username, and password they can authenticate to gain access to the wireless network. l Without the certificate, they are unable to access the network.
To enable device self-enrollment and adjust self-enrollment settings, go to Authentication > Self-service Portal > Device Self-enrollment and select Enable userdevice certificate self-enrollment.
SCEP enrollment template |
Select a SCEP enrollment template from the drop-down list. SCEP can be configured in Certificate Management > SCEP. See SCEP on page 147 for more information. |
Max. devices |
Set the maximum number of devices that a user can self-enroll. |
Key size |
Select the key size for self-enrolled certificates (1024, 2048, or 4096 bits).
iOS devices only support two key size: 1024 and 2048. |
Enable self-enrollment for Smart Card certificate |
Select to enable self-enrollment for smart card certificates.
This requires that a DNS domain name be configured, as it is used in the CRL Distribution Points (CDPs) certificate extension. |
Port-based Network Access Control Non-compliant devices
Select OK to apply any changes you have made.
Non-compliant devices
802.1X methods require interactive entry of user credentials to prove a user’s identity before allowing them access to the network. This is not possible for non-interactive devices, such as printers. MAC Authentication Bypass is supported to allow non-802.1X compliant devices to be identified and accepted onto the network using their MAC address as authentication.
This feature is only for 802.1X MAC Authentication Bypass. FortiGate Captive Portal MAC Authentication is supported by configuring the MAC address as a standard user, with the MAC address as both the username and password, and not by entering it in the MAC Devices section.
Multiple MAC devices can be imported in bulk from a CSV file. The first column of the CSV file contains the device names (maximum of 50 characters), and the second column contains the corresponding MAC addresses (0123456789AB or 01:23:45:67:89:AB).
To configure MAC-based authentication for a device:
- Go to Authentication > User Management > MAC Devices. The MAC device list will be shown.
- If you are adding a new device, select Create New to open the Create New MAC-based Authentication Device
If you are editing an already existing device, select the device from the device list.
- Enter the device name in the Name field, and enter the device’s MAC address in the MAC address
- Select OK to apply your changes.
To import MAC devices:
- In the MAC device list, select Import.
- Select Browse to locate the CSV file on your computer.
- Select OK to import the list.
The import will fail if the maximum number of MAC devices has already been reached, or if any of the information contained within the file does not conform, for example if the device name too long, or there is an incorrectly formatted MAC address.