Skip to main content

2 replies

ebilcari
Staff
ebilcari
Staff
July 29, 2025

Are you trying to configure PEAP with computer authentication? If yes, FNAC need to be joined in the domain like shown here: Technical Tip: MSCHAPv2 authentication, join FortiNAC in domain and checks for the authentications to work. This guide Machine Authentication includes all necessary steps.

 

You need to check if the authentication succeeds first, than use a simple User/Host profile to match with the Network Access Policy. The RADIUS logs will give more information about the authentication results. The details that are shown in the mentioned article can be later leveraged in case you want to limit host access based on RADIUS attributes.

Emirjon
    williasthomas192004
    williasthomas192004Author
    Explorer III
    July 30, 2025

    Is there another way? The customer does not prefer this way.

    if CA fails we could facing  a lot of issue.

    ebilcari
    Staff
    ebilcari
    Staff
    July 30, 2025

    EAP-TLS is a viable option that is also supported by FNAC, but its implementation is a bit more complex, as each host requires its own certificate for authentication. A Public Key Infrastructure (PKI) must be in place to issue and distribute these certificates.

    Emirjon
    adambomb1219
    SuperUser
    adambomb1219
    SuperUser
    July 29, 2025

    Are you using PEAP/MS-CHAPv2? You should not be using that in 2025. It uses broken encryption and should no longer be used. Credential guard will block this by default on modern versions of Windows.

      williasthomas192004
      williasthomas192004Author
      Explorer III
      July 30, 2025

      Yes, so what encryption method should I used instead of PEAP/MSCHAPv2

      adambomb1219
      SuperUser
      adambomb1219
      SuperUser
      July 30, 2025

      EAP-TLS or TEAP.

      Terms & ConditionsAccessibility statement