Authentication format on FortiConnect

Question

Hey guys,

We have a Fortinet WLAN management controller and a Forticonnect VM. Everything is setup and communicates well with AD. But Authentication works only when we send username as "username@domain.local". This is fine for mobiles because we push it manually via a MDM to connect to the SSID.

But for notebooks we have set it up to use windows logon via GPO, and I can see on the logs that the username comes in as "domain\username" which seem to fail for some reason. Our AD is Windows Server 2012 R2.

One of the fail packets show an MSCHAP error, but I;m guessing its a generic error?

Packet 10 (from 192.168.20.141:47024 id 122) Request: Access-Request User-Name = NEAMIINC\lisa.koh NAS-IP-Address = 192.168.20.141 NAS-Port = 2081 Called-Station-Id = 00:10:f3:48:86:d2:Neami-Corp Calling-Station-Id = 94-65-9C-91-72-D3 Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = CONNECT 802.11a Chargeable-User-Identity = Inner Request: Access-Request FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = NEAMIINC\lisa.koh NAS-IP-Address = 192.168.20.141 NAS-Port = 2081 Called-Station-Id = 00:10:f3:48:86:d2:Neami-Corp Calling-Station-Id = 94-65-9C-91-72-D3 Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = CONNECT 802.11a Chargeable-User-Identity = Inner Reply: Access-Reject MS-CHAP-Error = " E=691 R=1" Reply: Access-Challenge No attributes

Any help would be great.

Thanks

ManojK · Answer

I managed to get some more info from the radius logs. It seems to be looking for the @. Log below one for computer and user. Hopefully this will give a clearer picture to someone?

rad_recv: Access-Request packet from host 192.168.20.141 port 47024, id=134, length=204 User-Name = "NEAMIINC\\manoj.kumaracheliyan" NAS-IP-Address = 192.168.20.141 NAS-Port = 2068 Called-Station-Id = "00:10:f3:48:86:d2:Neami-Corp" Calling-Station-Id = "14-AB-C5-81-E2-41" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "" EAP-Message = 0x02010022014e45414d49494e435c6d616e6f6a2e6b756d6172616368656c6979616e Message-Authenticator = 0x3bac557c063e0597588737055f410665 Wed May 2 19:26:54 2018 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default Wed May 2 19:26:54 2018 : Info: +group authorize { Wed May 2 19:26:54 2018 : Info: [suffix] No '@' in User-Name = "NEAMIINC\manoj.kumaracheliyan", skipping NULL due to config. Wed May 2 19:26:54 2018 : Info: ++[suffix] = noop Wed May 2 19:26:54 2018 : Info: [IPASS] No '/' in User-Name = "NEAMIINC\manoj.kumaracheliyan", skipping NULL due to config. Wed May 2 19:26:54 2018 : Info: ++[IPASS] = noop Wed May 2 19:26:54 2018 : Info: [ntdomain] Looking up realm "NEAMIINC" for User-Name = "NEAMIINC\manoj.kumaracheliyan" Wed May 2 19:26:54 2018 : Info: [ntdomain] Found realm "DEFAULT" Wed May 2 19:26:54 2018 : Info: [ntdomain] Adding Realm = "DEFAULT" Wed May 2 19:26:54 2018 : Info: [ntdomain] Authentication realm is LOCAL. Wed May 2 19:26:54 2018 : Info: ++[ntdomain] = ok Wed May 2 19:26:54 2018 : Info: ++[chap] = noop Wed May 2 19:26:54 2018 : Info: ++[mschap] = noop Wed May 2 19:26:54 2018 : Info: [eap] EAP packet type response id 1 length 34 Wed May 2 19:26:54 2018 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Wed May 2 19:26:54 2018 : Info: ++[eap] = updated Wed May 2 19:26:54 2018 : Info: [sql] expand: %{User-Name} -> NEAMIINC\\manoj.kumaracheliyan Wed May 2 19:26:54 2018 : Info: [sql] sql_set_user escaped user --> 'NEAMIINC\\manoj.kumaracheliyan' Wed May 2 19:26:54 2018 : Debug: rlm_sql (sql): Reserving sql socket id: 11 Wed May 2 19:26:54 2018 : Info: [sql] expand: SELECT id, UserName, 'Cleartext-Password', password, ':=' FROM guestusers WHERE (LOWER(Username) = LOWER('%{SQL-User-Name}') OR (mac_address = to_macaddr('%{SQL-User-Name}'))) AND status = 2 -> ***** Wed May 2 19:26:54 2018 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Wed May 2 19:26:54 2018 : Debug: rlm_sql_postgresql: query affected rows = 0 , fields = 5 Wed May 2 19:26:54 2018 : Debug: rlm_sql (sql): Released sql socket id: 11 Wed May 2 19:26:54 2018 : Info: [sql] User NEAMIINC\\manoj.kumaracheliyan not found Wed May 2 19:26:54 2018 : Info: ++[sql] = notfound Wed May 2 19:26:54 2018 : Info: ++? if (!control:Proxy-To-Realm || ("%{control:Proxy-To-Realm}" == 'DEFAULT')) Wed May 2 19:26:54 2018 : Info: ? Evaluating !(control:Proxy-To-Realm ) -> TRUE Wed May 2 19:26:54 2018 : Info: ?? Skipping ("%{control:Proxy-To-Realm}" == 'DEFAULT') Wed May 2 19:26:54 2018 : Info: ++? if (!control:Proxy-To-Realm || ("%{control:Proxy-To-Realm}" == 'DEFAULT')) -> TRUE Wed May 2 19:26:54 2018 : Info: ++if (!control:Proxy-To-Realm || ("%{control:Proxy-To-Realm}" == 'DEFAULT')) { Wed May 2 19:26:54 2018 : Info: +++? if (!control:Auth-Type) Wed May 2 19:26:54 2018 : Info: ? Evaluating !(control:Auth-Type) -> FALSE Wed May 2 19:26:54 2018 : Info: +++? if (!control:Auth-Type) -> FALSE Wed May 2 19:26:54 2018 : Info: ++} # if (!control:Proxy-To-Realm || ("%{control:Proxy-To-Realm}" == 'DEFAULT')) = updated Wed May 2 19:26:54 2018 : Info: +} # group authorize = updated Wed May 2 19:26:54 2018 : Info: Found Auth-Type = EAP Wed May 2 19:26:54 2018 : Info: # Executing group from file /etc/raddb/sites-enabled/default Wed May 2 19:26:54 2018 : Info: +group authenticate { Wed May 2 19:26:54 2018 : Info: [eap] EAP Identity Wed May 2 19:26:54 2018 : Info: [eap] processing type tls Wed May 2 19:26:54 2018 : Info: [tls] Initiate Wed May 2 19:26:54 2018 : Info: [tls] Start returned 1 Wed May 2 19:26:54 2018 : Info: ++[eap] = handled Wed May 2 19:26:54 2018 : Info: +} # group authenticate = handled Sending Access-Challenge of id 134 to 192.168.20.141 port 47024 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa339c7d0a33bde610662bde461ee3ce8 Wed May 2 19:26:54 2018 : Info: Finished request 6686. Wed May 2 19:26:54 2018 : Debug: Going to the next request Wed May 2 19:26:54 2018 : Info: Cleaning up request 6571 ID 19 with timestamp +352 Wed May 2 19:26:54 2018 : Info: Cleaning up request 6572 ID 20 with timestamp +352 Wed May 2 19:26:54 2018 : Info: Cleaning up request 6573 ID 21 with timestamp +352 rad_recv: Access-Request packet from host 192.168.20.141 port 47024, id=135, length=322 User-Name = "host/0AFKITQ.NeamiInc.local" NAS-IP-Address = 192.168.20.141 NAS-Port = 2054 Called-Station-Id = "00:10:f3:48:86:d2:Neami-Corp" Calling-Station-Id = "68-5D-43-FD-56-97" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11g" Chargeable-User-Identity = "" EAP-Message = 0x0206008819800000007e16030300461000004241044de92aaab51fcfca0e1d485d09023f8a1f4de822dc8e3f53fd1c297f809f17ef3b7cc36f83887a4a4639381aa7f701d63fde3cc18f6665f24930bc885fe4917a140303000101160303002800000000000000000dff15fb58ae87ced6bdf2610580e4cd0d0284fd7e7a1e9d43e5697016ca9f4f State = 0xd9429d61dd44846534999a0ce8da3ad4 Message-Authenticator = 0x2b9cbba10cd7221d4739bb8d9c649fd1 Wed May 2 19:26:54 2018 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default Wed May 2 19:26:54 2018 : Info: +group authorize { Wed May 2 19:26:54 2018 : Info: [suffix] No '@' in User-Name = "host/0AFKITQ.NeamiInc.local", skipping NULL due to config. Wed May 2 19:26:54 2018 : Info: ++[suffix] = noop Wed May 2 19:26:54 2018 : Info: [IPASS] Looking up realm "host" for User-Name = "host/0AFKITQ.NeamiInc.local" Wed May 2 19:26:54 2018 : Info: [IPASS] Found realm "DEFAULT" Wed May 2 19:26:54 2018 : Info: [IPASS] Adding Realm = "DEFAULT" Wed May 2 19:26:54 2018 : Info: [IPASS] Authentication realm is LOCAL. Wed May 2 19:26:54 2018 : Info: ++[IPASS] = ok Wed May 2 19:26:54 2018 : Info: [ntdomain] Request already proxied. Ignoring. Wed May 2 19:26:54 2018 : Info: ++[ntdomain] = ok Wed May 2 19:26:54 2018 : Info: ++[chap] = noop Wed May 2 19:26:54 2018 : Info: ++[mschap] = noop Wed May 2 19:26:54 2018 : Info: [eap] EAP packet type response id 6 length 136 Wed May 2 19:26:54 2018 : Info: [eap] Continuing tunnel setup. Wed May 2 19:26:54 2018 : Info: ++[eap] = ok Wed May 2 19:26:54 2018 : Info: +} # group authorize = ok Wed May 2 19:26:54 2018 : Info: Found Auth-Type = EAP Wed May 2 19:26:54 2018 : Info: # Executing group from file /etc/raddb/sites-enabled/default Wed May 2 19:26:54 2018 : Info: +group authenticate { Wed May 2 19:26:54 2018 : Info: [eap] Request found, released from the list Wed May 2 19:26:54 2018 : Info: [eap] EAP/peap Wed May 2 19:26:54 2018 : Info: [eap] processing type peap Wed May 2 19:26:54 2018 : Info: [peap] processing EAP-TLS Wed May 2 19:26:54 2018 : Debug: TLS Length 126 Wed May 2 19:26:54 2018 : Info: [peap] Length Included Wed May 2 19:26:54 2018 : Info: [peap] eaptls_verify returned 11 Wed May 2 19:26:54 2018 : Info: [peap] <<< Unknown TLS version [length 0046] Wed May 2 19:26:54 2018 : Info: [peap] TLS_accept: SSLv3 read client key exchange A Wed May 2 19:26:54 2018 : Info: [peap] TLS_accept: SSLv3 read certificate verify A Wed May 2 19:26:54 2018 : Info: [peap] <<< Unknown TLS version [length 0001] Wed May 2 19:26:54 2018 : Info: [peap] <<< Unknown TLS version [length 0010] Wed May 2 19:26:54 2018 : Info: [peap] TLS_accept: SSLv3 read finished A Wed May 2 19:26:54 2018 : Info: [peap] >>> Unknown TLS version [length 0001] Wed May 2 19:26:54 2018 : Info: [peap] TLS_accept: SSLv3 write change cipher spec A Wed May 2 19:26:54 2018 : Info: [peap] >>> Unknown TLS version [length 0010] Wed May 2 19:26:54 2018 : Info: [peap] TLS_accept: SSLv3 write finished A Wed May 2 19:26:54 2018 : Info: [peap] TLS_accept: SSLv3 flush data Wed May 2 19:26:54 2018 : Info: [peap] (other): SSL negotiation finished successfully Wed May 2 19:26:54 2018 : Debug: SSL Connection Established Wed May 2 19:26:54 2018 : Info: [peap] eaptls_process returned 13 Wed May 2 19:26:54 2018 : Info: [peap] EAPTLS_HANDLED Wed May 2 19:26:54 2018 : Info: ++[eap] = handled Wed May 2 19:26:54 2018 : Info: +} # group authenticate = handled Sending Access-Challenge of id 135 to 192.168.20.141 port 47024 EAP-Message = 0x0107003919001403030001011603030028d38e16aa33863612a0c035ab08f7aafe9bbb643faefff0cd950ca4c961318e22ac8a96efab2ade17 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd9429d61dc45846534999a0ce8da3ad4 Wed May 2 19:26:54 2018 : Info: Finished request 6687. Wed May 2 19:26:54 2018 : Debug: Going to the next request

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded