Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fjulianom
New Contributor III

EAP Termination in FortiAPs?

Hi guys,

 

I wonder how FortiAPs handle the EAP-PEAP authentication with RADIUS. In EAP-PEAP authentication, first the RADIUS server authenticates against the user sending a certificate to him, and then the user authenticates with his username and password against the RADIUS server.

I am new in FortiAPs, but other vendors such as Aruba, have a feature called AP termination or EAP offload. With EAP offload disabled, the RADIUS server sends a certificate to the user in order to authenticate itself and then the user authenticates with his credentials. But when the RADIUS server doesn't have a certificate for authenticating or you don't want to use that certificate for any reason, you can enable EAP offload. When enabled, the AP itself acts as the authentication server, the AP terminates the outer layers of the EAP protocol, only relaying the innermost layer (credentials) to the external RADIUS server. This feature can be enabled or disabled just with a click. But I don't see this feature in the FortiGate GUI, so I don't know if FortiAPs can act as the authentication server, if they cannot, or if there is some default. Can you help me?

 

Regards,

Julián

2 REPLIES 2
fjulianom
New Contributor III

Hi,

 

Any idea?

 

Regards,

Julián

tanr
Valued Contributor II

I don't have an answer for you, but such EAP termination sounds useful.  If you don't get an answer here I'd contact Fortinet directly.

Labels
Top Kudoed Authors