Hot!Fortiauthenticator : SCEP Issue

Author
achraf.harkati@os4techno.com
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/29 01:22:37
  • Status: offline
2017/11/29 02:08:48 (permalink)
0

Fortiauthenticator : SCEP Issue

Hi All,
 
I'm wondering if Anyone has used FortiAuthenticator to perform BYOD ?
I'm testing FAC 5.1.2 in a lab envirement to authenticate WiFi users using EAP-TLS, the FAC has a CA certificate configured (signed by a Win2016 root CA). And I'm stuck at getting devices self-enrolled to obtain a certificate that they can use for EAP-TLS.
I've enabled Device Self-enrollment using the CA Certificate Template (SCEP request is configured using Wildcard).
At the moment, I'm unable to enroll a client device on the url : https://FAC-IP/cert/scep . I'm getting the following error on the Browser : "operation" parameter is required
 
I've also tried http (enabled http on the Interface) instead of https and keep getting the same error.
 
Has anyone faced the same problem before ?
Has anyone succefully got device self-enrollment working on FAC using SCEP ?
Do FAC provide an onboarding portal similar to other products such as Aruba Clearpass ?
 
Your help will be very much appreciated.
 
Achraf.
 

 

 
 
#1

5 Replies Related Threads

    xsilver_FTNT
    Expert Member
    • Total Posts : 435
    • Scores: 93
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: online
    Re: Fortiauthenticator : SCEP Issue 2017/12/01 01:46:42 (permalink)
    0
    Hi,
     
    "At the moment, I'm unable to enroll a client device on the url : https://FAC-IP/cert/scep . I'm getting the following error on the Browser : "operation" parameter is required"
     
    That's because the URL is not intended to be used for human interaction and manual enrollment.
    It is for SCEP enrollment (SCEP, PKCS packed CSR [Certificate Signing Request], is expected as input), therefore you are getting that error as you haven't sent your GET with appropriate data.
    If you do, for example, new cert generation via CSR and choose SCEP as signing method from FGT, then it will send PKCS encrypted data to FAC via this URL (you have to specify in FGT).
    Then FAC will check CSR against SCER Enrolment Requests rules and process accordingly (auto enroll/wait for admin enrollment/reject basically).
     
    Kind regards,
    Tomas

    Kind Regards,
    Tomas
    #2
    achraf.harkati@os4techno.com
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/11/29 01:22:37
    • Status: offline
    Re: Fortiauthenticator : SCEP Issue 2017/12/01 02:48:36 (permalink)
    0
    Thanks Tomas for the Clarifications.
    I confirm FGT can make SCEP requests using that url and works fine since a CSR is included with the request.
    My goal is to have this certificate installed on a User laptop and use it for EAP-TLS authentication. When I create a user certificate and install it manually on a user laptop everthing (EAP-TLS auth) works fine as well.
    Now do FAC provide a protal that I can use to have users go to and make a certificate request that they can use for EAP-TLS ?
    If yes, do you have the URL ?
    If not, what is the purpose of the claimed "Device Self-Registration" ? All Fortinet documentation outlines the steps to configure "Device Self-Registration" but does not go further and explain how we can take advantage of this feature from a user perspective? Note that the FAC documentation explains very well the  Guest "User Self-Registration" steps.
    Bottomline, can we do BYOD Device Onborading like othe vendors do ?
     
    Thanks again for your help.
    Regards.
     
    Achraf.
     
     
    #3
    achraf.harkati@os4techno.com
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/11/29 01:22:37
    • Status: offline
    Re: Fortiauthenticator : SCEP Issue 2017/12/01 02:51:02 (permalink)
    0
    Thanks Tomas for the Clarifications.
    I confirm FGT can make SCEP requests using that url and works fine since a CSR is included with the request.
    My goal is to have this certificate installed on a User laptop and use it for EAP-TLS authentication. When I create a user certificate and install it manually on a user laptop everthing (EAP-TLS auth) works fine as well.
    Now do FAC provide a protal that I can use to have users go to and make a certificate request that they can use for EAP-TLS ?
    If yes, do you have the URL ?
    If not, what is the purpose of the claimed "Device Self-Registration" ? All Fortinet documentation outlines the steps to configure "Device Self-Registration" but does not go further and explain how we can take advantage of this feature from a user perspective? Note that the FAC documentation explains very well the  Guest "User Self-Registration" steps.
    Bottomline, can we do BYOD Device Onborading like othe vendors do ?
     
    Thanks again for your help.
    Regards.
     
    Achraf.
    #4
    mikebutash
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/04 14:23:07
    • Status: offline
    Re: Fortiauthenticator : SCEP Issue 2018/09/12 22:52:36 (permalink)
    0
    I am interested in the answer to this as well, if there was one.  I'm working with Authenticator for a customer right now as well as a POC, and would like to see if this works nicely with various other vendor kit/software.  SCEP with standard devices like routers/firewalls, any scep client basically (outside authenticator with human interaction) is ideal.
    #5
    tedauction
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/03/26 22:23:02
    • Status: offline
    Re: Fortiauthenticator : SCEP Issue 2019/06/17 17:04:43 (permalink)
    0
    I am also looking for an answer on this.
    Specifically has anyone got FAC SCEP working with Google MDM ?
    #6
    Jump to:
    © 2019 APG vNext Commercial Version 5.5