Skip to main content
Khurramtariq
Khurramtariq
Explorer
February 10, 2025
Question

FortiNAC-802.1X User Credntial Failed MSCHAPv2

  • February 10, 2025
  • 1 reply
  • 1008 views

Dear FortiNAC Experts

We have FortiNAC 7.6 - 802.1X Radius is configured with Cisco Switches and authentication is through LDAP-WinBind MSCHAPv2 , PC machines are windows 11, Now we are facing issue with new users / password change of the user or if user login to other PC in same domain, FortiNAC throw error credential failed when we change password in AD or new user logins.In this setup i think user does not have access to LDAP before logging into machine. it does not allow to enter credentials etc  how to fix this issue

Thanks in advance

FortiNAC 

@ebilcari 

 

 

1 reply

AEK
SuperUser
AEK
SuperUser
February 10, 2025

Hi Tarik

It's been a year (or more) since I worked on FNAC, but as far as I remember the WinBind mode has few limitations comparing to proxy mode.

If I'm not wrong, for new users the LDAP user DB in FNAC is synchronized once a day, right? So in order to make sure this is the root cause, you may try run a manual sync of your LDAP user DB on FNAC. If it works then you can change the sync rate from FNAC, but I can't remember from which menu item :(

Hope it helps a bit.

AEK
    Khurramtariq
    KhurramtariqAuthor
    Explorer
    February 14, 2025

    HI AEK

    Thanks for your reply,  we tried to anually sync AD in FortiNAC but its accepting credential change or when new users comes, only solution is to remove from FortiNAC and sign in make credential ached and then re  login through FortiNAC

    ebilcari
    Staff
    ebilcari
    Staff
    February 18, 2025

    The AD synchronization will update user attributes and groups, credentials are checked in real-time during authentication.

    If the supplicant in the end host (Win 11) is configured to save credentials, after the password is changed in the AD side, the supplicant will still use the old cached credentials. This behavior should be changed on the end host configurations, usually a GPO is used. From the FNAC perspective these credentials don't match and that's why the authentication fails and this is not a FNAC limitation.

    Emirjon
      Terms & ConditionsAccessibility statement