Fortinac with openldap

Forum|Forum|7 months ago
November 14, 2025
3 replies
640 views

Has anyone done Window pc>Fortinac>OpenLDAP for 802.1x user authentication.

The authentication keeps on failing, regardless of EAP protocols used.
Switch model used Juniper EX.

Attached FNAC radius logs.

(2823) Received Access-Request Id 233 from 10.176.2.159:60141 to 10.176.2.24:1812 length 158 (2823)   User-Name = "user1" (2823)   NAS-Port = 564 (2823)   State = 0x1dfeb1601ffda4e7b61bb33bb2402358 (2823)   EAP-Message = 0x020300061500 (2823)   Message-Authenticator = 0xbf1130bb5dbab2bf9b877bc0c1313dbd (2823)   Acct-Session-Id = "8O2.1x815f094b00060db3" (2823)   NAS-Port-Id = "ge-0/0/3.0" (2823)   Calling-Station-Id = "10-7d-1a-1a-5b-c3" (2823)   Called-Station-Id = "c8-13-37-c7-4a-b8" (2823)   NAS-Port-Type = Ethernet (2823) Restoring &session-state (2823)   &session-state:Hint = "0438c294-f027-4352-a474-d5faa06ff01c" (2823)   &session-state:Tmp-String-1 := "request" (2823)   &session-state:Framed-MTU = 1180 (2823)   &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" (2823)   &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" (2823)   &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" (2823)   &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" (2823)   &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" (2823) # Executing section authorize from file /etc/raddb/radiusd.conf (2823)   authorize { (2823)     if (!&session-state:Hint && !&request:Fortinet-Tenant-Identification) { (2823)     if (!&session-state:Hint && !&request:Fortinet-Tenant-Identification)  -> FALSE (2823)     if (&session-state:Tmp-String-9) { (2823)     if (&session-state:Tmp-String-9)  -> FALSE (2823)     if ( &request:Fortinet-Tenant-Identification ) { (2823)     if ( &request:Fortinet-Tenant-Identification )  -> FALSE (2823)     if (!&session-state:Tmp-String-1) { (2823)     if (!&session-state:Tmp-String-1)  -> FALSE (2823)     policy filter_username { (2823)       if (&User-Name) { (2823)       if (&User-Name)  -> TRUE (2823)       if (&User-Name)  { (2823)         if (&User-Name =~ / /) { (2823)         if (&User-Name =~ / /)  -> FALSE (2823)         if (&User-Name =~ /@[^@]*@/ ) { (2823)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE (2823)         if (&User-Name =~ /\.\./ ) { (2823)         if (&User-Name =~ /\.\./ )  -> FALSE (2823)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  { (2823)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE (2823)         if (&User-Name =~ /\.$/)  { (2823)         if (&User-Name =~ /\.$/)   -> FALSE (2823)         if (&User-Name =~ /@\./)  { (2823)         if (&User-Name =~ /@\./)   -> FALSE (2823)       } # if (&User-Name)  = notfound (2823)     } # policy filter_username = notfound (2823)     [preprocess] = ok (2823) suffix: Checking for suffix after "@" (2823) suffix: No '@' in User-Name = "user1", looking up realm NULL (2823) suffix: No such realm "NULL" (2823)     [suffix] = noop (2823) ntdomain: Checking for prefix before "\" (2823) ntdomain: No '\' in User-Name = "user1", looking up realm NULL (2823) ntdomain: No such realm "NULL" (2823)     [ntdomain] = noop (2823)     if (!&Realm && &User-Name) { (2823)     if (!&Realm && &User-Name)  -> TRUE (2823)     if (!&Realm && &User-Name)  { (2823)       if (&User-Name =~ /^host\/[^.]+\.([a-zA-Z0-9.-]+)$/) { (2823)       if (&User-Name =~ /^host\/[^.]+\.([a-zA-Z0-9.-]+)$/)  -> FALSE (2823)     } # if (!&Realm && &User-Name)  = ok (2823)     update control { (2823)       &Proxy-To-Realm := LOCAL (2823)     } # update control = noop (2823)     [mschap] = noop (2823)     if (!EAP-Message) { (2823)     if (!EAP-Message)  -> FALSE (2823)     else { (2823)       if (User-Name && Calling-Station-Id && User-Name =~ /^([0-9a-fA-F]{2}[:]?){5}[0-9a-fA-F]{2}$/ ) { (2823)       if (User-Name && Calling-Station-Id && User-Name =~ /^([0-9a-fA-F]{2}[:]?){5}[0-9a-fA-F]{2}$/ )  -> FALSE (2823) eap-DefaultConfig: Peer sent EAP Response (code 2) ID 3 length 6 (2823) eap-DefaultConfig: Continuing tunnel setup (2823)       [eap-DefaultConfig] = ok (2823)     } # else = ok (2823)     [chap] = noop (2823)     [logintime] = noop (2823)   } # authorize = ok (2823) Found Auth-Type = EAP-DEFAULTCONFIG (2823) # Executing group from file /etc/raddb/radiusd.conf (2823)   Auth-Type EAP-DEFAULTCONFIG { (2823) eap-DefaultConfig: Removing EAP session with state 0x1dfeb1601ffda4e7 (2823) eap-DefaultConfig: Previous EAP request found for state 0x1dfeb1601ffda4e7, released from the list (2823) eap-DefaultConfig: Peer sent packet with method EAP TTLS (21) (2823) eap-DefaultConfig: Calling submodule eap_ttls to process data (2823) eap_ttls: Authenticate (2823) eap_ttls: (TLS) Peer ACKed our handshake fragment (2823) eap-DefaultConfig: Sending EAP Request (code 1) ID 4 length 93 (2823) eap-DefaultConfig: EAP session adding &reply:State = 0x1dfeb1601efaa4e7 (2823)     [eap-DefaultConfig] = handled (2823)   } # Auth-Type EAP-DEFAULTCONFIG = handled (2823) Using Post-Auth-Type Challenge (2823) # Executing group from file /etc/raddb/radiusd.conf (2823)   Challenge { ... } # empty sub-section is ignored (2823) session-state: Saving cached attributes (2823)   Hint = "0438c294-f027-4352-a474-d5faa06ff01c" (2823)   Tmp-String-1 := "request" (2823)   Framed-MTU = 1180 (2823)   TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" (2823)   TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" (2823)   TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" (2823)   TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" (2823)   TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" (2823) Sent Access-Challenge Id 233 from 10.176.2.24:1812 to 10.176.2.159:60141 length 151 (2823)   EAP-Message = 0x0104005d1580000004eb753d91bf9e7e69816ed023596fd0fb9616f9afce327458f8f8ab718f2c6c731d1a2c0c7041c6578d50b7134f66de3e533d536ca45c01e8311ca941923061b481237e3c6849666a22768116030300040e000000 (2823)   Message-Authenticator = 0x00000000000000000000000000000000 (2823)   State = 0x1dfeb1601efaa4e7b61bb33bb2402358 (2823) Finished request Waking up in 4.9 seconds. (2824) Received Access-Request Id 234 from 10.176.2.159:60141 to 10.176.2.24:1812 length 288 (2824)   User-Name = "user1" (2824)   NAS-Port = 564 (2824)   State = 0x1dfeb1601efaa4e7b61bb33bb2402358 (2824)   EAP-Message = 0x0204008815800000007e1603030046100000424104464abe704a9817c6216685c89532bd110e4c82fcb05e5fe2fac004a3f96770895d991969d9f93a4f665daaef5dad1517ec95676f27d5d504f67af2e82d7e98e614030300010116030300280000000000000000fcd8a1c3ca35f57670cc333d4646a31d692ed409c124defc7802e235d08ed6c3 (2824)   Message-Authenticator = 0x94d275c6c71081e3aa4c9308da7578c4 (2824)   Acct-Session-Id = "8O2.1x815f094b00060db3" (2824)   NAS-Port-Id = "ge-0/0/3.0" (2824)   Calling-Station-Id = "10-7d-1a-1a-5b-c3" (2824)   Called-Station-Id = "c8-13-37-c7-4a-b8" (2824)   NAS-Port-Type = Ethernet (2824) Restoring &session-state (2824)   &session-state:Hint = "0438c294-f027-4352-a474-d5faa06ff01c" (2824)   &session-state:Tmp-String-1 := "request" (2824)   &session-state:Framed-MTU = 1180 (2824)   &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" (2824)   &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" (2824)   &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" (2824)   &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" (2824)   &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" (2824) # Executing section authorize from file /etc/raddb/radiusd.conf (2824)   authorize { (2824)     if (!&session-state:Hint && !&request:Fortinet-Tenant-Identification) { (2824)     if (!&session-state:Hint && !&request:Fortinet-Tenant-Identification)  -> FALSE (2824)     if (&session-state:Tmp-String-9) { (2824)     if (&session-state:Tmp-String-9)  -> FALSE (2824)     if ( &request:Fortinet-Tenant-Identification ) { (2824)     if ( &request:Fortinet-Tenant-Identification )  -> FALSE (2824)     if (!&session-state:Tmp-String-1) { (2824)     if (!&session-state:Tmp-String-1)  -> FALSE (2824)     policy filter_username { (2824)       if (&User-Name) { (2824)       if (&User-Name)  -> TRUE (2824)       if (&User-Name)  { (2824)         if (&User-Name =~ / /) { (2824)         if (&User-Name =~ / /)  -> FALSE (2824)         if (&User-Name =~ /@[^@]*@/ ) { (2824)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE (2824)         if (&User-Name =~ /\.\./ ) { (2824)         if (&User-Name =~ /\.\./ )  -> FALSE (2824)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  { (2824)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE (2824)         if (&User-Name =~ /\.$/)  { (2824)         if (&User-Name =~ /\.$/)   -> FALSE (2824)         if (&User-Name =~ /@\./)  { (2824)         if (&User-Name =~ /@\./)   -> FALSE (2824)       } # if (&User-Name)  = notfound (2824)     } # policy filter_username = notfound (2824)     [preprocess] = ok (2824) suffix: Checking for suffix after "@" (2824) suffix: No '@' in User-Name = "user1", looking up realm NULL (2824) suffix: No such realm "NULL" (2824)     [suffix] = noop (2824) ntdomain: Checking for prefix before "\" (2824) ntdomain: No '\' in User-Name = "user1", looking up realm NULL (2824) ntdomain: No such realm "NULL" (2824)     [ntdomain] = noop (2824)     if (!&Realm && &User-Name) { (2824)     if (!&Realm && &User-Name)  -> TRUE (2824)     if (!&Realm && &User-Name)  { (2824)       if (&User-Name =~ /^host\/[^.]+\.([a-zA-Z0-9.-]+)$/) { (2824)       if (&User-Name =~ /^host\/[^.]+\.([a-zA-Z0-9.-]+)$/)  -> FALSE (2824)     } # if (!&Realm && &User-Name)  = ok (2824)     update control { (2824)       &Proxy-To-Realm := LOCAL (2824)     } # update control = noop (2824)     [mschap] = noop (2824)     if (!EAP-Message) { (2824)     if (!EAP-Message)  -> FALSE (2824)     else { (2824)       if (User-Name && Calling-Station-Id && User-Name =~ /^([0-9a-fA-F]{2}[:]?){5}[0-9a-fA-F]{2}$/ ) { (2824)       if (User-Name && Calling-Station-Id && User-Name =~ /^([0-9a-fA-F]{2}[:]?){5}[0-9a-fA-F]{2}$/ )  -> FALSE (2824) eap-DefaultConfig: Peer sent EAP Response (code 2) ID 4 length 136 (2824) eap-DefaultConfig: Continuing tunnel setup (2824)       [eap-DefaultConfig] = ok (2824)     } # else = ok (2824)     [chap] = noop (2824)     [logintime] = noop (2824)   } # authorize = ok (2824) Found Auth-Type = EAP-DEFAULTCONFIG (2824) # Executing group from file /etc/raddb/radiusd.conf (2824)   Auth-Type EAP-DEFAULTCONFIG { (2824) eap-DefaultConfig: Removing EAP session with state 0x1dfeb1601efaa4e7 (2824) eap-DefaultConfig: Previous EAP request found for state 0x1dfeb1601efaa4e7, released from the list (2824) eap-DefaultConfig: Peer sent packet with method EAP TTLS (21) (2824) eap-DefaultConfig: Calling submodule eap_ttls to process data (2824) eap_ttls: Authenticate (2824) eap_ttls: (TLS) EAP Peer says that the final record size will be 126 bytes (2824) eap_ttls: (TLS) EAP Got all data (126 bytes) (2824) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done (2824) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange (2824) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client key exchange (2824) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read change cipher spec (2824) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, Finished (2824) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read finished (2824) eap_ttls: (TLS) TTLS - send TLS 1.2 ChangeCipherSpec (2824) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write change cipher spec (2824) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Finished (2824) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write finished (2824) eap_ttls: (TLS) TTLS - Handshake state - SSL negotiation finished successfully (2824) eap_ttls: (TLS) TTLS - Connection Established (2824) eap_ttls:   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (2824) eap_ttls:   TLS-Session-Version = "TLS 1.2" (2824) eap-DefaultConfig: Sending EAP Request (code 1) ID 5 length 61 (2824) eap-DefaultConfig: EAP session adding &reply:State = 0x1dfeb16019fba4e7 (2824)     [eap-DefaultConfig] = handled (2824)   } # Auth-Type EAP-DEFAULTCONFIG = handled (2824) Using Post-Auth-Type Challenge (2824) # Executing group from file /etc/raddb/radiusd.conf (2824)   Challenge { ... } # empty sub-section is ignored (2824) session-state: Saving cached attributes (2824)   Hint = "0438c294-f027-4352-a474-d5faa06ff01c" (2824)   Tmp-String-1 := "request" (2824)   Framed-MTU = 1180 (2824)   TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" (2824)   TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" (2824)   TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" (2824)   TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" (2824)   TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" (2824)   TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange" (2824)   TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished" (2824)   TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec" (2824)   TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished" (2824)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (2824)   TLS-Session-Version = "TLS 1.2" (2824) Sent Access-Challenge Id 234 from 10.176.2.24:1812 to 10.176.2.159:60141 length 119 (2824)   EAP-Message = 0x0105003d1580000000331403030001011603030028adab2f31d1a72531173540ada8fb812ac284a1ddde81a1c79f2d8c55798d049b4696e131b87a1189 (2824)   Message-Authenticator = 0x00000000000000000000000000000000 (2824)   State = 0x1dfeb16019fba4e7b61bb33bb2402358 (2824) Finished request Waking up in 4.8 seconds.

FortiNAC

ElwinBERRAR

Explorer III

I’ve seen similar behaviour when using FortiNAC with OpenLDAP behind Juniper EX switches: the TLS/EAP flow completes, but the bind to LDAP fails silently because the identity format doesn’t match what the directory expects. Make sure the username format coming from 802.1X matches exactly the LDAP uid or cn attribute FortiNAC is querying. If that still fails, try switching to PEAP/MSCHAPv2 temporarily to confirm whether the issue is in the EAP inner method or the LDAP bind step.

ceFortiAuthor

New Member

we tried with user@domain.com and without @ . PEAP & Mschapv2 is working when using active directory instead of openLdap.
Can PEAP, Mschapv2 used when openldap is backend identity store.