Why can I use SAML for VPN withIn FG, but I require FortiAutenticator for 802.1x auth?

VPN
1

Correct me if I’m wrong please. I may have mixed terminology so apologies.

I was told that in order to accomplish wifi 802.1x auth with entra, I would require to add FortiAuthenticator, but I wanted to understand why exactly. What does FortiAuthenticator do that FG doesn’t do already?

I haven’t had much experience with FortiAuthenticator, hope you guys can help me understanding the use case.

What else do you use FAuth for? What cool functionality does it has, that is not just ldap, radius?

2

There does not exist a standardized way to integrate 802.1x with SAML. Any implementation will therefore be custom/proprietary by definition.

wifi 802.1x auth with entra, I would require to add FortiAuthenticator

This statement needs to be followed by more details, because at a surface level it’s just not possible.
What’s usually done is two separate processes:
1: Authenticate with <whatever you want, e.g. SAML> to some portal/api that provisions a client-certificate for you.
2: Use this certificate for EAP-TLS authentication.
Does that mean you’re now using SAML/Entra for 802.1x? Up to you to decide. (I say “no”. Feel free to call it Entra-integrated, or whatever your SAML IdP is, but this is not “802.1x with SAML”.)

You can use SAML for VPN because the solution is custom/proprietary and both sides are controlled by a single vendor:

  • SSL-VPN is completely proprietary, no interop expected with any other client/firewall~vpn-server.
  • IPsec standards do not support SAML currently; but Fortinet implemented their own custom/proprietary integration in FGT/FCT, which again has no interop with third parties.

Doing this with 802.1x for wifi/switch auth would either require yet another proprietary supplicant software, or time-consuming effort to get a standardized solution somewhere far in the future.

3

I centralized authentication early with Fac. Started as just radius to ldap, then centralized 2FA with FortiToken for VPN and admin access, then as a CA with SCEP for certificate management, and expanded with SAML idp for 2FA access to web apps. It’s a great inexpensive Swiss Army knife.

4

802.1x happens before your host even gets an ip address, and even before your host is placed on a vlan… so it has to be a local, layer 2 only protocol…

5

As mentioned, 802.1x not possible with SAML technically.
But I have created in one project authentication to Wi-Fi with Captive Portal using SAML.

6

VPN client so you don’t have to use FortiClient if you don’t want to with the native SSLVPN