Wired 802.1x EAP-TLS with computer authentication


In this recipe, you will configure and demonstrate wired 802.1x EAP-TLS with computer authentication.

In the example, you will set up FortiAuthenticator as the Root CA and client certificate issuer. The FortiAuthenticator will authenticate user interaction using the domain computer and client certificate (no username or password).

The example includes a native Windows 7 supplicant and a 3rd-party switch (EX2200) to confirm cross-vendor interoperability. It also includes dynamic VLAN assignment on the switch as per the FortiAuthenticator RADIUS attributes.

1. Active Directory prerequisites

Key considerations:

  • computers must exist in AD Groups that correspond with their VLAN
  • dNSHostName attribute for the username

2. Configuring the certificates

Go to Certificate Management > Certificate Authorities > Local CAs and create a new Root CA.
Go to Certificate Management > End Entities > Local Services and configure a certificate used for EAP-TLS.

Go to RADIUS Service > EAP and set up the EAP configuration.

If client certificates were not created by FortiAuthenticator, the 3rd-party server certificate would be uploaded on to FortiAuthenticator as a Trusted CA.

In this example, FortiAuthenticator creates the client certificates.

Go to Certificate Management > End Entities > Users and create a client certificate. The CN must match the full DNS name of the intended computer.

Export the PKCS#12 file and passphrase protect it.

The client certificate can be pushed out using GPO (Group Policy Object). Otherwise, it can be imported manually.

3. Manually importing the client certificate – Windows 7

Manual import can be completed using MMC as shown.

Open Command Prompt and type mmc and hit Enter.

On the File menu, click Add/Remove Snap In.

Once imported, the certificate should show up under Local Computer and not Current User.

Export the FortiAuthenticator Certificate and Import that under Trusted Root Certification Authorities (again under Certificates (Local Computer)).

4. Configuring the FortiAuthenticator AD Server

Go to Authentication > Remote Auth. Servers > LDAP and create a new AD server.

Ensure that Username attribute matches the entry in the AD configuration in Step 1.

Go to Authentication > User Management > Realms and create a new realm for these users.

5. Configuring the user group

Go to Authentication > User Management > User Groups and create a new user group with the RADIUS attributes shown.

6. Configuring remote user sync rules

Go to Authentication > User Management > Remote User Sync Rules and configure a new Remote LDAP User Synchronization Rule.

Go to Authentication > User Management > Remote Users and check to see if the sync rule worked.

7. Configuring the FortiAuthenticator RADIUS client

Go to Authentication > RADIUS Service > Clients and create a RADIUS client to bring the configuration together on the FortiAuthenticator.

8. Configuring the switch

The switch configuration provided below is intended for demonstration only. Your switch configuration is likely to differ significantly.

set system services dhcp pool address-range low
set system services dhcp pool address-range high
set system services dhcp pool domain-name fortiad.net
set system services dhcp pool name-server
set system services dhcp pool router
set system services dhcp pool server-identifier
set interfaces ge-0/0/1 unit 0 family ethernet-switching #windows 7 machine port, no VLAN assigned, will be allocated dynamically
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members engineering #interface used to communicate with FortiAuthenticator
set interfaces me0 unit 0 family inet address
set interfaces vlan unit 10 family inet address
set protocols dot1x authenticator authentication-profile-name profile1
set protocols dot1x authenticator interface ge-0/0/1.0 supplicant single #802.1x configuration requiring supplicant
set access radius-server secret "$9$kmfzIRSlvLhSLNVYZGk.Pf39"
set access profile profile1 authentication-order radius
set access profile profile1 radius authentication-server
set vlans engineering vlan-id 10
set vlans engineering l3-interface vlan.10

9. Results

The authentication flow should initiate as soon as the wired computer starts up (while connected to the domain).

Using tcpdump, FortiAuthenticator shows receipt of an Incoming Authentication Request (tcpdump host -nnvvXs):

02:18:48.572998 IP (tos 0x0, ttl 64, id 32483, offset 0, flags [none], proto UDP (17), length 203) > [udp sum ok] RADIUS. length: 175 
    Access-Request (1), id: 0x4d, Authenticator: 27e45f0edbfa7026318d583ccf915776 
      User-Name Attribute (11. length: 23. Value: host/leno.fortiad.net 
        0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961 
        0x0010: 642e 6e65 74 
      NAS-Port Attribute (5), length: 6, Value: 71 
        0x0000: 0000 0047 
      EAP-Message Attribute (79), length: 28, Value: . 
        0x0000: 0200 001a 0168 6f73 742f 6c65 6e6f 2e66 
        0x0010: 6f72 7469 6164 2e6e 6574 
      Message-Authenticator Attribute (80), length: 18, Value: ...0S2 ....... .M
        0x0000: b60f 874f 5332 c9a7 e2f5 d90e 8c20 e64d 
      Acct-Session-Id Attribute (44), length: 24, Value: 802.1x81fa00370003dd64 
        0x0000: 384f 322e 3178 3831 6661 3030 3337 3030 
        0x0010: 3033 6464 3634 
      NAS-Port-Id Attribute (87), length: 12, Value: ge-0/0/1.0 
        0x0000: 6765 2d30 2f30 2f31 2e30 
      Calling-Station-Id Attribute (31), length: 19, Value: 00-22-68-1a-ft-a0 
        0x0000: 3030 2d32 322d 3638 2d31 612d 6631 2d61 
        0x0010: 30 
      Called-Station-Id Attribute (30), length: 19, Value: a8-d0-e5-b0-21-80 
        0x0000: 6138 2d64 302d 6535 2d62 302d 3231 2d38 
        0x0010: 30 
      NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 
        0x0000: 0000 000f 

Continuing with tcpdump, Access-Challenge is issued from FortiAuthenticator to the Switch:

02:18:48.578465 IP (tos 0x0, ttl 64, id 29725, offset 0, flags [none], proto UDP (17), length 108) > [bad udp cksum 0x18a3 -> 0x7f96!] RADIUS, length: 80 
    Access-Challenge (11), id: 0x4d, Authenticator: 8140836b0192a5ef12630d4d049d05e6 
      EAP-Message Attribute (79), length: 24, Value: .. 
        0x0000: 0101 0016 0410 bc6b 992d bbfc 141f 3bbl 
        0x0010: 1908 2978 2030 
      Message-Authenticator Attribute (80), length: 18, Value: .#...:&%N.z.7...
        0x0000: dc23 d299 Of3a 2625 4eed 7a9c 37d9 ef97 
      State Attribute (24), length: 18, Value: ........ ...m.q. 
        0x0000: c2lb 819c c2la 85b8 20c3 b2b7 6dla 71d6 

Access-Accept message with RADIUS attributes are returned to the Switch:

02:18:48.919099 IP (tos Ox0, ttl 64, id 29732, offset 0, flags [none], proto UDP (17), length 236) > [bad udp cksum 0x1923 -> Oxae5a!] RADIUS, length: 208 
    Access-Accept (2), id: 0x54, Authenticator: 668c7cbb00d96161c278906918ce2291 
      Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311) 
        Vendor Attribute: 17, Length: 50, Value: .p<.6..A [y)..E)......Y..(..P...Xd@..aB.k. 
        0x0000: 0000 0137 1134 f270 3cbf 360b 1d41 f5e5 
        0x0010: c87f e8eb b9e9 955b 7929 0915 4529 fa92
        0x0020: 8c02 Ofec 59a0 e528 889e 50b9 f506 5864 
        0x0030: 4018 ff61 429a 6bb8 
      Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
        Vendor Attribute: 16, Length: 50, Value: ..G......Q...............x.=xA/......i.r..a.%R.^.. 
        0x0000: 0000 0137 1034 ff86 47fc 00f1 99d9 cc51 
        0x0010: fclf 1ae2 b9e3 00a7 1ec9 baf4 031d fa78 
        0x0020: 8d3d 7841 2114 0313 a2e8 9e69 dc72 efed 
        0x0030: 61b2 2552 995e fbf4 
      EAP-Message Attribute (79), length: 6, Value: .. 
        0x0000: 0307 0004 
      Message-Authenticator Attribute (80), length: 18, Value: .8............30 
        0x0000: 0438 c613 8719 caa2 eaf0 a106 ffb4 3330 
      User-Name Attribute (1), length: 23, Value: host/leno.fortiad.net 
        0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961 
        0x0010: 642e 6e65 74 
      Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] #13 
        0x0000: 0000 000d 
      Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802 
        0x0000: 0000 0006 
      Tunnel-Private-Group-ID Attribute (81), length: 13, Value: engineering 
        0x0000: 656e 6769 6e65 6572 696e 67

Post-authentication DHCP transaction is picked up by FortiAuthenticator (tcpdump continued):

02:18:52.384838 IP (tos Ox0, ttl 1, id 32640, offset 0, flags [none], proto UDP (17), length 328) > [udp sum ok] BOOTP/DHCP, Reply, length 300, xid Oxf79d54fa, Flags [Broadcast] (0x8000)
    Client-Ethernet-Address 00:22:68:1a:fl:a0 
    Vendor-rfc1048 Extensions 
      Magic Cookie 0x63825363 
      DHCP-Message Option 53, length 1: ACK 
      Server-ID Option 54, length 4: 
      Lease-Time Option 51, length 4: 86400 
      Subnet-Mask Option 1, length 4: 
      Default-Gateway Option 3, length 4: 
      Domain-Name-Server Option 6, length 4: 
      Domain-Name Option 15, length 11: "fortiad.net" 

Go to Logging > Log Access > Logs to verify the device authentication.

The Debug Log (at https://<fac-ip>/debug/radius) should also confirm successful authentication.

The Switch CLI shows a successful dot1x session:

root# run show dotlx interface ge-0/0/1.0
802.1X Information:
Interface    Role             State            MAC address          User
ge-0/0/1.0   Authenticator    Authenticated    00:22:68:1A:F1:A0    host/leno.fortiad.net

The Domain Computer interface is dynamically placed into the correct VLAN:

root# run show vlans
Name          Tag           Interfaces
                            ge-0/0/0.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, 
engineering   10
                            ge-0/0/1.0*, ge-0/0/11.0*

And the domain computer shows as available on the network:

root# run show arp interface vlan.10 
MAC Address        Address        Name         Interface    Flags
00:0c:29:5b:90:68    vlan.10      none
98:b8:e3:a0:c6:lb   vlan.10      none
b8:78:2e:38:3e:28   vlan.10      none
00:22:68:1a:f1:a0   vlan.10      none
54:e4:3a:d5:16:a0   vian.l0      none 
Total entries: 5 

root# run ping
PING ( 56 data bytes
54 bytes from icmp_seq=0 tt1=128 time=4.651 ms
54 bytes from icmp_seq-1 ttl-128 time-2.385 ms

--- ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.385/3.518/4.651/1.133 ms 
Note that to view certificates in the local machine store, you must be in the Administrator role.
If the Authentication tab is not visible under your LAN properties then you may need to configure the Wired AutoConfig service to automatically start.
This rule automatically imports computers in the AD Group VLAN10 into the FortiAuthenticator User Group VLAN10.
Users/computers should be visible under Remote Users. Certificate bindings must be manually completed.
Certificate CN has to match the Remote User Computer Name.