Skip to main content
VicAndr
VicAndr
New Member
December 24, 2015
Solved

FortiOS v5.2.5: Windows XP cannot connect to WPA2 Enterprise WiFi

  • December 24, 2015
  • 1 reply
  • 23539 views

We have WiFi networks with WPA2 Enterprise security successfully working in our environment. After recent firmware upgrade from v.5.2.3 to v.5.2.5 on all our FortiGate and FortiWifi boxes, old computers with Windows XP on them cannot connect to the wireless networks any longer.

 

Although we do not have many Windows XP installations left - none of them cannot connect to WPA2 Enterprise wireless networks. There was no such a problem before the upgrade.

 

All our FortiAPs units (FAP 220B, 320C, 321C) have the latest (v5.2.4 build 0245) on them.

 

Does anyone experience the same issue?

 

Thank you for any thoughts and ideas.

Best answer by localhost

VicAndr wrote:

 

Now, could someone explain (or, perhaps, point to some document or KB article) how a certificate being used in the course of WPA2-Enterprise client connection negotiation, and why disabling certificate validation on the client side still doesn't "fix" WiFi connectivity issue (in case of XP)?

This will just accept certificates which are not signed by a know ceritificate authority.

But the certificate will still be used to create an encrypted channel to exchange the authentication information.

1 reply

emnoc
emnoc
New Member
December 25, 2015

Okay I won't bash it but Windows XP should be eliminated. Next where you using WPA-ent with windowsXp b4 the upgrade ?

 

Your choice are to diagnose the windows XP WPA-ENT or build a 2nd VAP and set WPA-Personal just for these clients.

 

to diagnose the WPA-ENT radius do the following;

 

1: test the user account using chap ( I bet your probably btw is chap related )

 

diag test authsercer  <the define servername> mscap   username password

 

Try  chap or mschap2 depending on the server

 

2: Run the diagnose commands for debug output

 

diag debug reset

diag debug en

diag debug app radius -1  

 

FWIW: the WPA-personal on a new VAP and SSID would make life easier ;)

 

VicAndr
VicAndrAuthor
New Member
December 29, 2015

Emnoc,

 

Thank you for your always relevant and thoughtful responses! Because of guys like you, Fortinet Forums has become an extremely valuable resource - in many cases sharing users' knowledge and "real life" experiences through forums allows to find solutions or workarounds for issues, for which Fortinet Support does not have answers for (or take them too-o-o-o-o long to respond).

 

OK, let's back to the issue itself now. Well, I agree in regards to Windows XP with you, ...generally. But if have few boxes loaded with this, or any other outdated OS, which perfectly serve the purpose they were put in place for, why would you waste your time and money (a new OS license comes at a cost, right?!) to make an upgrade for the "sake of upgrade"? In our case we have a few small (book-size) computers with Windows XP, which serve as a media players to drive big screens installed at different locations to present information about courses, and other opportunities provided by our company. Windows XP is listed as supported by FortiOS 5.2 (Deploying Wireless Networks,  p. 80), and, in fact, it worked just fine before upgrading to maintenance release 5, build 701. But now it doesn't and I can't figure out why.

 

There is nothing wrong with user's account. BTW, windows XP uses not Chap but MS-CHAPv2 for authentication. When you use a diagnose command you are referring to, it shows a successful authentication. The thing though is - with this diag command you test authentication path between wireless controller on firewall and a RADIUS server - a client itself and FortiAP it is connecting to a WiFi network through, "remain out of the picture".

 

In regards to your second command script involving few diag commands - it doesn't work at all. ...until you add yet one more command before the last one:

 

diag debug app fnbamd -1

 

Something has changed inside FortiOS 5.2.5, which prevent Windows XP machines from being authenticated, since nothing else has changed in the authentication path involving the following components:

 

Mobile Client -> FortiAP -> Wireless Controller (FortiGate) -> RADIUS servers

 

I've opened the case with Fortinet Support. They asked me to run a diagnostic script - I did and submitted results to them. And now, a week later, I still do not have any response from them.

 

VicAndr
VicAndrAuthor
New Member
December 30, 2015

I've made some troubleshooting efforts which reinforced my thinking that Windows XP is "No-Go" for WPA2 Enterprise on FortiOS v.5.2.5:

[ul]
  • None of computers with Windows XP I tried cannot connect to the wireless network.
  • On the other hand, when we upgraded one of the computers to Windows 7 (same hardware, some WiFi configuration, same everything else) - it connected flawlessly.[/ul]

    Still no response from Fortinet on this. This is a holiday season - perhaps, that is why. Or, maybe, they are waiting for an expert member to post a solution or explanation here, so that they could "move the case forward" .

    • Terms & ConditionsAccessibility statement