Skip to main content
AtiT
AtiT
New Member
February 4, 2017
Question

Fortiauthenticator settings for Windows Active Directory Domain Authentication

  • February 4, 2017
  • 3 replies
  • 14403 views

Hi,

I want to use the Fortiauthenticator for authenticate users from LDAP (remote users) with OTP and also use it for the WiFi username/password authentication.

When the user wants to authenticate via WiFi (FortiAP) i get an error on the Fortiauthenticator:

Remote LDAP user authentication(mschap) with no token failed: remote server supports pap only

 

According to the documentation the Windows Active Directory Domain Authentication should be enabled to authenticate users via Kerberos.

I tried to set up this in the lab but the Fortiauthenticator is not allowed to contact the Windows AD. The security logs shows Audit Failure:

Failure Reason: Unknown user name or bad password.

 

How to set up this scenario?

Shloud I create a Computer account for the Fortiauthenticator - if yes it should be member of domain controllers?

Can I use the administrator account or should I create another one with some special privileges?

 

The documentation is not clear for me.

Thank you for any help.

    3 replies

    ergotherego
    ergotherego
    New Member
    February 10, 2017

    "Can I use the administrator account or should I create another one with some special privileges?"

     

    Best to use a "service account" - one just for your FAC. It can have privileges to add new machines to the domain, and this can be limited to a few machine adds to prevent overuse.

     

    "Shloud I create a Computer account for the Fortiauthenticator"

     

    The AD account you use to join the FAC to the domain should have these permissions, then that will be done automatically. Otherwise you will need to create a new machine object manually.

     

    "if yes it should be member of domain controllers?"

     

    Definitely not. FAC won't "push" any changes to your domain. It just needs the ability to query the domain hierarchy.

    TKucera
    TKucera
    New Member
    June 19, 2017

    Tell me anybody what right that service accout need (exactly domain user or domain computer ?) ? In case I make object for computer manualy.

    sandytechie
    sandytechie
    New Member
    August 19, 2019

    DID You get any solution we are facing the same issue.

     

    we are getting that the CANT CONNECT TO NETWORK error in our wifi, proper configuration is done 

     

    any solution

    FlavioB
    FlavioB
    New Member
    June 16, 2021

    AtiT wrote:

    When the user wants to authenticate via WiFi (FortiAP) i get an error on the Fortiauthenticator:

    Remote LDAP user authentication(mschap) with no token failed: remote server supports pap only

    Hi there... resurrecting an old thread, but it's the only reference I found. I got the same error - what is the solution for that? I've looked into LDAP config on the FAC and there's nothing related to PAP/MSCHAP (and TBH, this only rings a bell in relation to RADIUS config).

     

    Any help will be appreciated.

    Thanks,

    F.

    Terms & ConditionsAccessibility statement