Skip to main content
The_Nude_Deer
The_Nude_Deer
Explorer II
November 13, 2024
Question

EAP-TLS request not reaching FAC

  • November 13, 2024
  • 4 replies
  • 3492 views

Client laptop has a cert issued by Microsoft AD (via Intune) the Trusted CA has been imported to the FAC 6.6.0 as per this video:

EAP-TLS Authentication with FortiAuthenticator | Identity and Access Management

The fortigate is set to use the FAC / WPA2 Enterprise as per the instructions, everything is configured as per the fortinet website, but nothing gets sent to the FAC (other traffic using SSL VPN is fine, so its not a connection issue)

 

Running debugs and logs on both the FAC and the Gate, the EAP-TLS request is not even reaching the FAC, 

 

Fortigate logs show:

2024-11-06 15:09:28 05768.944 70:32:17:11:01:7a <eh> IEEE 802.1X (EAPOL 14B) ==> 70:32:17:11:01:7a ws (0-10.16.152.100:5246) rId 0 wId 1 38:c0:ea:a0:d0:81 2024-11-06 15:09:28 05768.974 70:32:17:11:01:7a <eh> IEEE 802.1X (EAPOL 5B) <== 70:32:17:11:01:7a ws (0-10.16.152.100:5246) rId 0 wId 1 38:c0:ea:a0:d0:81 2024-11-06 15:09:28 05768.974 70:32:17:11:01:7a <eh> recv IEEE 802.1X ver=1 type=1 (EAPOL_START) data len=0

 

Which show a pattern link below

auth-req

auth-resp

reassoc-req

reassoc-resp

client-disconnected

 

This then repeats, client machine shows the same sort of log, I have configured and had it checked by TAC, and still cannot get this simple connection working, any help from here is appreciated,

4 replies

Hatibi
Staff & Editor
Hatibi
Staff & Editor
November 14, 2024

Are you testing wireless or conneting wired to a Switchport?

 

The logs you have shared have this message as last one before disconnection:

<eh> recv IEEE 802.1X ver=1 type=1 (EAPOL_START) data len=0

 

At this point the Authenticator (AP/switch) should send an Identity request packet to get the Host. That is why you see nothing in FortiAuthenticator. That part comes after the identity request/response phase is completed.

So the issue is to be investigated between the Supplicant(endpoint) and the Authenticator.

It might be an issue with 802.1x settings on the Authenticator. 

The_Nude_Deer
The_Nude_DeerAuthor
Explorer II
November 14, 2024

So, this wireless, Client > AP > Fortigate > FAC

The Fortigate is set to use FAC as the Radius Server with WPA2 enterprise. So the issue is likely the AP? that just broadcasts the SSID , could you elaborate please?

Hatibi
Staff & Editor
Hatibi
Staff & Editor
November 14, 2024

Yes the problem is at this communication channel between Client <> AP 

Check the 802.1x setting in the AP and check its debugging if it shows any more details on why there is no EAP identity Request packet sent back.

 

The flow is the following:

 

Supplicant ---- EAPOL START ----> AP

Supplicant <---- EAP Identity Request ---- AP

Supplicant ---- EAP Identity Response ----> AP

                                                                     AP --------- Radius Acess-Request ------> FAC

The_Nude_Deer
The_Nude_DeerAuthor
Explorer II
December 4, 2024

I have configured everthing as per 

EAP-TLS Authentication with FortiAuthenticator | Identity and Access Management

 

When the client clicks connect to the SSID, we get 

"Unable to connect because you need a certificate to sign in" but I have the cert on the client machine, and the FAC has the ROOT CA that signed it! Help anyone?

Hatibi
Staff & Editor
Hatibi
Staff & Editor
December 4, 2024

Are you using User or Computer certificates?

Is the certificate present in the certificate store in Personal > Certificates ?

Is the certificate created with usage for "Client Authentication"

sjoshi
Staff
sjoshi
Staff
December 4, 2024

Hi,

 

It seems like the EAP-TLS request from the client laptop is not reaching the FortiAuthenticator (FAC) despite proper configuration. The FortiGate logs indicate the EAPOL messages being exchanged but not reaching FAC. The pattern of authentication request and response loops along with client disconnection suggests a communication issue. Since SSL VPN traffic is working fine, it's not a connectivity problem. To troubleshoot further, ensure the EAP server certificate and Trusted CA are correctly configured on FAC, verify the RADIUS settings on both FAC and FortiGate, and check for any firewall rules blocking the EAP-TLS traffic. Additionally, reviewing the detailed logs on FAC using the debug interface and analyzing the network traffic with tools like Wireshark on UDP port 1812 can help pinpoint where the communication breakdown is occurring.

Salon Raj Joshi | #NSE8-003459
The_Nude_Deer
The_Nude_DeerAuthor
Explorer II
December 4, 2024

1. ensure the EAP server certificate and Trusted CA are correctly configured on FAC

I have created a local EAP server certificate and its is signed by the Local CA on the FAC, and the client has that as a copy.

 

2. I cannot view any logs on the FAC, as there arent any generated, it simply does not get that far, I am really at a loss now and want to throw the thing out the window!  

 

I am about to do a TCP Dump on the AP to see whats happening maybe

 

 

Terms & ConditionsCookie settingsAccessibility statement