Wired 802.1x EAP-TLS with user authentication


In this recipe, you will configure and demonstrate wired 802.1x EAP-TLS with user authentication.

In the example, you will set up FortiAuthenticator as the Root CA and client certificate issuer. 

The example includes an Odyssey supplicant and a 3rd-party switch (EX2200) to confirm cross-vendor interoperability. It also includes dynamic VLAN assignment on the switch as per the FortiAuthenticator RADIUS attributes.

1. Configuring the certificates

Go to Certificate Management > Certificate Authorities > Local CAs and create a new Root CA.
Go to Certificate Management > End Entities > Local Services and configure a certificate used for EAP-TLS.

Go to RADIUS Service > EAP and set up the EAP configuration.

If client certificates were not created by FortiAuthenticator, the 3rd-party server certificate would be uploaded on to FortiAuthenticator as a Trusted CA.

In this example, FortiAuthenticator creates the client certificates.

Go to Certificate Management > End Entities > Users and create a client certificate. The CN must match the user sAMAccountName.

Export the PKCS#12 file and passphrase protect it.

The client certificate can be pushed out using GPO (Group Policy Object). Otherwise, it can be imported manually.

2. Manually importing the client certificate – Windows 7

Manual import can be completed using MMC as shown.

Open Command Prompt and type mmc and hit Enter.

On the File menu, click Add/Remove Snap In.

Once imported, the certificate should show up under Local Computer and not Current User.

Export the FortiAuthenticator Certificate and Import that under Trusted Root Certification Authorities (again under Certificates (Local Computer)).

3. Configuring the FortiAuthenticator AD Server

Go to Authentication > Remote Auth. Servers > LDAP and create a new AD server.

Ensure that Username attribute matches the entry in the AD configuration (sAMAccountName).

Go to Authentication > User Management > Realms and create a new realm for these users.

4. Configuring the user group

Go to Authentication > User Management > User Groups and create a new user group with the RADIUS attributes shown.

The group will automatically populate with the Remote Sync Rule configured below.

5. Configuring remote user sync rules

Go to Authentication > User Management > Remote User Sync Rules and configure a new Remote LDAP User Synchronization Rule.

Go to Authentication > User Management > Remote Users and check to see if the sync rule worked.

6. Configuring the FortiAuthenticator RADIUS client

Go to Authentication > RADIUS Service > Clients and create a RADIUS client to bring the configuration together on the FortiAuthenticator.

7. Configuring the switch

The switch configuration provided below is intended for demonstration only. Your switch configuration is likely to differ significantly.

set system services dhcp pool address-range low
set system services dhcp pool address-range high
set system services dhcp pool domain-name fortiad.net
set system services dhcp pool name-server
set system services dhcp pool router
set system services dhcp pool server-identifier
set interfaces ge-0/0/1 unit 0 family ethernet-switching #odyssey machine port, no VLAN assigned, will be allocated dynamically
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members engineering #interface used to communicate with FortiAuthenticator
set interfaces me0 unit 0 family inet address
set interfaces vlan unit 10 family inet address
set protocols dot1x authenticator authentication-profile-name profile1
set protocols dot1x authenticator interface ge-0/0/1.0 supplicant single #802.1x configuration requiring supplicant
set access radius-server secret "$9$kmfzIRSlvLhSLNVYZGk.Pf39"
set access profile profile1 authentication-order radius
set access profile profile1 radius authentication-server
set vlans engineering vlan-id 10
set vlans engineering l3-interface vlan.10

8. Results

In the Odyssey Access Client Manager, click Connect to the network. Once connected, the Status should read open and authenticated.

The authentication flow should initiate as soon as the supplicant makes a connection attempt (while connected to the domain).

Using tcpdump, FortiAuthenticator shows receipt of an Incoming Authentication Request (tcpdump host -nnvvXs):

16:10:25.051118 IP (tos 0x0, ttl 64, id 22102, offset 0, flags [none], proto UDP (17), length 169) > [udp sum ok] RADIUS. length: 141 
    Access-Request (1), id: 0x18, Authenticator: 4c69f617666fcdaadbcdb14700c57551 
      User-Name Attribute (1), length: 6, Value: kash 
        0x0000: 6b61 7368 
      NAS-Port Attribute (5), length: 6, Value: 71 
        0x0000: 0000 0047 
  EAP-Message Attribute (79), length: 11, Value: .A 
        0x0000: 0241 0009 016b 6173 68 
  Message-Authenticator Attribute (80), length: 18, value: ..C....- .....o.> 
        0x0000: 8a86 43bf a7d9 8a2d 8cef e0bf 036f 9f3e 
  Acct-Session-Id Attribute (44), length: 24, Value: 802.1x81fb00610008e3c1 
        0x0000: 384f 322e 3178 3831 6662 3030 3631 3030 
        0x0010: 3038 6533 6331 
  NAS-Port-Id Attribute (87), length: 12, Value: ge-0/0/1.0 
        0x0000: 6765 2d30 2f30 2f31 2e30 
  Calling-Station-Id Attribute (31), length: 19, Value: 00-22-68-1a-ft-a0 
        0x0000: 3030 2d32 322d 3638 2d31 612d 6631 2d61 
        0x0010: 30 
  Called-Station-Id Attribute (30), length: 19, Value: a8-d0-e5-b0-21-80 
        0x0000: 6138 2d64 302d 6535 2d62 302d 3231 2d38 
        0x0010: 30 
  NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 
        0x0000: 0000 000f 

Continuing with tcpdump, Access-Challenge is issued from FortiAuthenticator to the Switch:

16:10:25.057286 IP (tos 0x0, ttl 64, id 50545, offset 0, flags [none], proto UDP (17), length 108) > [bad udp cksum 0x18a3 -> 0x0722!] RADIUS, length: 80 
    Access-Challenge (11), id: 0x18, Authenticator: f0a3636e1b2ddf8b76f96239feece6bb 
      EAP-Message Attribute (79), length: 24, Value: .B 
        0x0000: 0142 0016 0410 87a4 a938 54dd 43b6 9ff4 
        0x0010: 7ddc b515 1591 
      Message-Authenticator Attribute (80), length: 18, Value: ..mu.l..0..o.ht. 
        0x0000: 0f09 6d75 e76c 87c3 30f3 b76f f368 74e3 
      State Attribute (24), length: 18, Value: s...s...L@..._K. 
        0x0000: 73de c494 739c c0lf 4c40 c6ce 815f 4bd5 

The next 14 messages are Challenge->Request EAP transactions between the FortiAuthenticator and the Switch

Access-Accept message with RADIUS attributes are returned to the Switch:

16:10:25.479480 IP (tos Ox0, ttl 64, id 50552, offset 0, flags [none], proto UDP (17), length 219) > [bad udp cksum 0x1912 -> 0xef88I] RADIUS, length: 191
    Access-Accept (2), id: Oxlf, Authenticator: Sb463667865b7dacf8a742aea5424f20
      Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
        Vendor Attribute: 17, Length: 50, Value: ......3.y.3..T.1z..[m..W. .c. Zv a rpa.z
        0x0000: 0000 0137 1134 831d 27be +0af 4aae 7990
        0x0010: 33da 0954 b631 7ad7 e15b 6dd4 8557 83cb
        0x0020: a83c f4e0 155a 76fd dd61 c7f5 fd0a d8d1
        0x0030: 08e8 eb72 7061 b27a
      Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
        Vendor Attribute: 16, Length: 50, Value: ..^D0b...z..9:e+....]+2X • / WF ..... 4..K...Pt.
        0x0000: 0000 0137 1034 8f91 Se44 4f62 9d7f f513
        0x0010: 7abb 942a 213a 652b 0fc5 b488 5d2b 3258
        0x0020: ce3a ded5 dd2f d757 4698 9a94 b205 34a2
        0x0030: ed4b 83bb a250 74f6
      EAP-Message Attribute (79), length: 6, Value: .H
        0x0000: 0348 0004
      Message-Authenticator Attribute (80), length: 18, Value: .".Z.T..X....@.
        0x0000: ca22 aasa f354 17bc 58dc ccd7 cf40 7fb4
      User-Name Attribute (1), length: 6, Value: kash
        0x0000: 6b61 7368
      Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] #13
        0x0000: 0000 000d
      Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802
        0x0000: 0000 0006
      Tunnel-Private-Group-ID Attribute (81), length: 13, Value: engineering
        0x0000: 656e 6769 6e65 6572 696e 67 

Post-authentication DHCP transaction is picked up by FortiAuthenticator (tcpdump continued):

16:10:25.569855 IP (tos Ox0, ttl 1, id 22153, offset 0, flags [none], proto UDP (17), length 328) > [udp sum ok] BOOTP/DHCP, Reply, length 300, xid Ox91fced0e, Flags [Broadcast] (0x8000)
    Client-Ethernet-Address 00:22:68:1a:f1:a0
    Vendor-rfc1048 Extensions
      Magic Cookie 0x63825363
      DHCP-Message Option 53, length 1: ACK
      Server-ID Option 54, length 4:
      Lease-Time Option 51, length 4: 86400
      Subnet-Mask Option 1, length 4:
      Default-Gateway Option 3, length 4:
      Domain-Name-Server Option 6, length 4:
      Domain-Name Option 15, length 11: "fortiad.net" 

Go to Logging > Log Access > Logs to verify the device authentication.

The Debug Log (at https://<fac-ip>/debug/radius) should also confirm successful authentication.

The Switch CLI shows a successful dot1x session:

root# run show dotlx interface ge-0/0/1.0
802.1X Information:
Interface    Role             State            MAC address          User
ge-0/0/1.0   Authenticator    Authenticated    00:22:68:1A:F1:A0    kash

The Domain Computer interface is dynamically placed into the correct VLAN:

root# run show vlans
Name          Tag           Interfaces
                            ge-0/0/0.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, 
engineering   10
                            ge-0/0/1.0*, ge-0/0/11.0*

And the domain computer shows as available on the network:

root# run show arp interface vlan.10 
MAC Address        Address        Name         Interface    Flags
00:0c:29:5b:90:68    vlan.10      none
98:b8:e3:a0:c6:lb   vlan.10      none
b8:78:2e:38:3e:28   vlan.10      none
00:22:68:1a:f1:a0   vlan.10      none
54:e4:3a:d5:16:a0   vian.l0      none 
Total entries: 5 

root# run ping
PING ( 56 data bytes
54 bytes from icmp_seq=0 tt1=128 time=4.651 ms
54 bytes from icmp_seq-1 ttl-128 time-2.385 ms

--- ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.385/3.518/4.651/1.133 ms 
Note that to view certificates in the local machine store, you must be in the Administrator role.
If the Authentication tab is not visible under your LAN properties then you may need to configure the Wired AutoConfig service to automatically start.
This rule automatically imports computers in the AD Group VLAN10 into the FortiAuthenticator User Group VLAN10.
Users/computers should be visible under Remote Users. Certificate bindings must be manually completed.
Certificate CN has to match the Remote User Computer Name.