Skip to main content
muhammadsaad
muhammadsaad
New Member
January 23, 2025
Question

FortiNAC 802.1X user authentication through AD via Cisco Switch

  • January 23, 2025
  • 2 replies
  • 1899 views

Hello Team,

We have a cisco switch in our environment and want to configure 802.1X user authentication through Active Directory.

Necessary configuration has been done on cisco switch and also on fortinac but the user is not able to authenticate. 

Switch logs are shared below:

Jan 23 11:21:31.767: %AUTHMGR-5-START: Starting 'dot1x' for client (d0bf.9c0f.2698) on Interface Gi1/0/24 AuditSessionID C0A8018C000000ED06B56251
Jan 23 11:21:47.143: %DOT1X-5-FAIL: Authentication failed for client (d0bf.9c0f.2698) on Interface Gi1/0/24 AuditSessionID C0A8018C000000ED06B56251
Jan 23 11:21:47.143: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d0bf.9c0f.2698) on Interface Gi1/0/24 AuditSessionID C0A8018C000000ED06B56251
Jan 23 11:21:47.143: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d0bf.9c0f.2698) on Interface Gi1/0/24 AuditSessionID C0A8018C000000ED06B56251
Jan 23 11:21:47.143: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d0bf.9c0f.2698) on Interface Gi1/0/24 AuditSessionID C0A8018C000000ED06B56251
Jan 23 11:21:47.143: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (d0bf.9c0f.2698) on Interface Gi1/0/24 AuditSessionID C0A8018C000000ED06B56251

 

We are using EAP-PEAP with MSChapV2 protocol at both sides.

 

Can someone help out on this

2 replies

Jakob-AHHG
Jakob-AHHG
Explorer III
January 23, 2025

Not sure if it's the switch or FortiNAC that actually does the authentication-process, but it seems like the switch can't verify the client.

I would see it Cisco has a way to do testing via CLI/GUI, to test the connection to your backend.

Otherwise, it would be helpful, if you describe the setup a bit more. And, have you tested that the different components in your setup can access and use the auth-servers?

muhammadsaad
muhammadsaadAuthor
New Member
January 23, 2025

Hi, 

The shared logs are of switch. Basically I had integrated the active directory with FortiNAC and after that I had added the Cisco switch via SNMP. Then dot1x configuration of Cisco and FortiNAC have been done.
For radius server authentication and accounting, currently i'm using 1645 and 1646 ports. Should I switched to 1812 and 813 or is it something else

ebilcari
Staff
ebilcari
Staff
January 23, 2025

To get better details you can check the RADIUS logs in the server side, it can be checked from GUI or CLI, some detail can be found in these articles here and here.

For PEAP/MSCHAPv2, the winbind need to be also configured to verify the credentials as shown in this article here. There should also be a method in place to register the hosts, enabling 'Dot1x Auto Registration' in Port properties could be the easiest way in this scenario.

Emirjon
    muhammadsaad
    muhammadsaadAuthor
    New Member
    January 24, 2025

    Hi,

    Thanks for your reply. The issue was at vlan side at the customer port. Rest of the configurations on the cisco and fortinac was fine.

    Thanks fortinet team

      Terms & ConditionsAccessibility statement