New Member

Question

Having issues connecting radius server to AP

Forum|Forum|3 years ago
October 5, 2022
3 replies
4221 views

Hi.

I have FortiWifi 40F installed on my network, with a radius server for a wpa enterprise configuration.

I have installed an access point, configuring the radius server IP with the port and the secret.

Here comes the issues: when I'm trying to authenticate clients on AP, the server doesn't get any request, and the authentication fails.

I have been investigating, my server is on 192.168.100.0/24 and my access point is on 192.168.2.0/24, with the firewall policy accepting traffic between this two interfaces (ports 1 and 2 of the FortiWifi).

I have been trying connecting with another device from access point side to the server, and I have no problem with ping communication or remote access, but the radius request fails.

I have configured over FreeRadius the users and the client, pointing to the acces point IP.

And the final step: I tried with both devices on the same net (192.168.100.0/24) and surprise, everything works perfectly.

What's the matter? Configuring the wifi devices inside the DMZ is the best practise?

Maybe I would like to configure communication between 192.168.100.0/24 and 192.168.2.0/24 without filtering the requests, so the radius service can work like if both devices were in the same net.

Some suggests, can someone help me with this configuration?

Thanks in advance.

FortiGate

AEK

SuperUser

Hi

Please share the following:

- Ping from AP to RADIUS

- Ping from RADIUS to AP

- Test authentication when opening all traffic in your FW policy from AP to RADIUS

- Sniff on your RADIUS traffic coming from AP and traffic going to AP

AEK

eineltecAuthor

New Member

Hi

Ping from AP to RADIUS is impossible, doesn't support console commands, and connecting via SSH requests sudo permission which is not activated.

PING from RADIUS to AP is working without problems.

Test authentication locally works

But with the firewall between AP and RADIUS doesn't get answer. I get this error message forcing response with the software NTRadping, with an AP request the server doesn't show any alert.

This is what I think: the forti catches the AP request (192.168.2.1), and sends to my RADIUS server (192.168.100.100) but the server gets the request from the 192.168.100.200 (the IP interface of Fortigate in the 192.168.100.0/24) so it doesn't understand the client and rejects the request.

As I said, configuring the AP and the RADIUS in the same net (with 192.168.100.100 for RADIUS and 192.168.100.1 for AP) works without problems, the idea is to separate in different nets each device, but without this IP source change.

AEK

SuperUser

Hi Eineltec

If I understand well I think you have NAT enabled on your firewall policy.

Try disable NAT on the policy and redo the test.

Otherwise in case you need NAT then you should authorize FGT IP .200 on your RADIUS.

AEK

eineltecAuthor

New Member

Hi

With NAT enabled, I ping from RADIUS to AP succesfully.

Without NAT, ping doesn't get answer.

How can I configure without NAT and communicate both devices? I guess the answer is near there.

My firewall rules:

My interfaces:

AEK

SuperUser

Then it is definitely a routing issue.

If you configure default GW on RADIUS and AP (FGT IP) then this should fix the issue.

AEK

eineltecAuthor

New Member

Hi, can u guide me about how to configure this routing?

PD: I got a solution, configuring GW on the AP to the Forti IP interface, and indicating the client as the Forti IP interface.

But the ideal configuration would be to make this routing inside the Fortigate.

AEK

SuperUser

Hi

You have to configure routing on AP & server.

On AP it should be on the AP GUI.

On Linux you can do it in different ways, e.g.: via GUI with NetworkManager, or via CLI with ip route add, nmtui, nmcli, or editing files in /etc/sysconfig/network-scripts/

AEK

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded