Visitor III

Question

Wifi authenticator using certificate

Forum|Forum|4 years ago
August 19, 2021
1 reply
5000 views

Hi...

I am deploy a FAC and we need configure the clients to authenticate on WIFI using certificate.

I was read the Fortine docummentation and in all cenaris the FAC is a CA, but the costumer have a internal CA, so I imported the Root CA and intermediate CA certificate to FAC and create a CSR to CA generate a server certificated to FAC.

Below I am pasting the RADIUS debug logs:

(28) Received Access-Request Id 25 from 10.49.2.129:6786 to 10.45.14.40:1812 length 349 2021-08-18T16:40:26.539540-03:00 PRDFAC-FNT-A radiusd[22484]: (28) User-Name = "ipachacuti@qualicorp.com.br" 2021-08-18T16:40:26.539546-03:00 PRDFAC-FNT-A radiusd[22484]: (28) NAS-IP-Address = 0.0.0.0 2021-08-18T16:40:26.539551-03:00 PRDFAC-FNT-A radiusd[22484]: (28) NAS-Identifier = "10.49.2.10/5246-Qlc-Corporativo" 2021-08-18T16:40:26.539556-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Called-Station-Id = "D4-76-A0-46-50-D0:Qlc-Corporativo-01" 2021-08-18T16:40:26.539566-03:00 PRDFAC-FNT-A radiusd[22484]: (28) NAS-Port-Type = Wireless-802.11 2021-08-18T16:40:26.539572-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Service-Type = Framed-User 2021-08-18T16:40:26.539578-03:00 PRDFAC-FNT-A radiusd[22484]: (28) NAS-Port = 1 2021-08-18T16:40:26.539583-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Fortinet-SSID = "Qlc-Corporativo-01" 2021-08-18T16:40:26.539588-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Fortinet-AP-Name = "ap_plaza_niteroi_01" 2021-08-18T16:40:26.539593-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Calling-Station-Id = "5C-CD-5B-51-49-E7" 2021-08-18T16:40:26.539597-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11AC" 2021-08-18T16:40:26.539602-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Acct-Session-Id = "610D7F800000013E" 2021-08-18T16:40:26.539606-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Acct-Multi-Session-Id = "AD3AA044994A7AC4" 2021-08-18T16:40:26.539611-03:00 PRDFAC-FNT-A radiusd[22484]: (28) WLAN-Pairwise-Cipher = 1027076 2021-08-18T16:40:26.539618-03:00 PRDFAC-FNT-A radiusd[22484]: (28) WLAN-Group-Cipher = 1027076 2021-08-18T16:40:26.539626-03:00 PRDFAC-FNT-A radiusd[22484]: (28) WLAN-AKM-Suite = 1027073 2021-08-18T16:40:26.539630-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Framed-MTU = 1400 2021-08-18T16:40:26.539635-03:00 PRDFAC-FNT-A radiusd[22484]: (28) EAP-Message = 0x02f90006030d 2021-08-18T16:40:26.539639-03:00 PRDFAC-FNT-A radiusd[22484]: (28) State = 0x9cbc75179c4560e453e0470a6884bbb3 2021-08-18T16:40:26.539643-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Message-Authenticator = 0x480eea390fc3475973781e6cffeefa5e 2021-08-18T16:40:26.539653-03:00 PRDFAC-FNT-A radiusd[22484]: (28) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default 2021-08-18T16:40:26.539695-03:00 PRDFAC-FNT-A radiusd[22484]: (28) facauth: ===>NAS IP:10.49.2.129 2021-08-18T16:40:26.539706-03:00 PRDFAC-FNT-A radiusd[22484]: (28) facauth: ===>Username:ipachacuti@qualicorp.com.br 2021-08-18T16:40:26.539713-03:00 PRDFAC-FNT-A radiusd[22484]: (28) facauth: ===>Timestamp:1629315626.539363, age:0ms 2021-08-18T16:40:26.539722-03:00 PRDFAC-FNT-A radiusd[22484]: Not doing PAP as Auth-Type is already set. 2021-08-18T16:40:26.539730-03:00 PRDFAC-FNT-A radiusd[22484]: (28) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-18T16:40:26.539739-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: Expiring EAP session with state 0x9cbc75179c4560e4 2021-08-18T16:40:26.539747-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: Finished EAP session with state 0x9cbc75179c4560e4 2021-08-18T16:40:26.539753-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: Previous EAP request found for state 0x9cbc75179c4560e4, released from the list 2021-08-18T16:40:26.539765-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: Found authclient from preloaded authclients list for 10.49.2.129: WIFI_Corp_Plaza_Niteroi (10.49.2.129) 2021-08-18T16:40:26.540672-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: WARNING: failed to load authpolicy for authclient 6 with authtype eap-tls 2021-08-18T16:40:26.541369-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: Found authpolicy 'WIFI_CORP' for client '10.49.2.129' 2021-08-18T16:40:26.541597-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: ERROR: No mutually acceptable types found 2021-08-18T16:40:26.541653-03:00 PRDFAC-FNT-A radiusd[22484]: (28) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-18T16:40:26.541712-03:00 PRDFAC-FNT-A radiusd[22484]: (28) facauth: Updated auth log 'ipachacuti@qualicorp.com.br': 802.1x authentication failed 2021-08-18T16:40:27.209211-03:00 PRDFAC-FNT-A radiusd[22484]: Waking up in 0.3 seconds.

Can you help me :)

xsilver_FTNT

Staff

It seems that matching RADIUS Service / Policy named "WIFI_CORP" is anything else but EAP-TLS.

Check that first.

Once you set RADIUS Service / Policy / "Authentication type" to "Client Certificates (EAP-TLS)", then on next page of "Identity source" you get the blue hint stating how the match is done and how the client's cert should look like.

Understanding the Client Certificates (EAP-TLS) workflow EAP-TLS verifies the certificate provided by the end-user. A certificate is deemed valid if ALL of the following conditions match the certificate binding settings of one of the configured local or remote users:

[ul]

End-user certificate "Subject" has a "CN" value AND that value matches the "Common name" certificate binding setting of one of the configured local or remote users.

End-user certificate "Issuer" matches the "CA" certificate binding setting of that same configured user account.

End-user certificate is properly signed.

End-user certificate is NOT expired.[/ul]

For example, if an end-user provides a certificate with the following fields:

[ul]

Subject: CN=Sam, OU=Sales, DC=Company, DC=com

Issuer: CN=MyCA, OU=IT, DC=Company, DC=come

Properly signed and not expired[/ul]

This certificate would be deemed valid if matching a configured user account with certificate binding settings:

[ul]

Common name: Sam

CA: CN=MyCA, OU=IT, DC=Company, DC=com[/ul]

raphaejaoliveiraAuthor

Visitor III

I did the changes.

Now user some times connect and another times not.

When user has success to connect the connection takes a long time.

2021-08-20T16:35:31.806736-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Received Access-Request Id 121 from 10.49.1.129:20124 to 10.45.14.40:1812 length 1836 2021-08-20T16:35:31.806743-03:00 PRDFAC-FNT-A radiusd[3903]: (179) User-Name = "ABToledo@teste.com" 2021-08-20T16:35:31.806748-03:00 PRDFAC-FNT-A radiusd[3903]: (179) NAS-IP-Address = 0.0.0.0 2021-08-20T16:35:31.806752-03:00 PRDFAC-FNT-A radiusd[3903]: (179) NAS-Identifier = "10.49.1.10/5246-Qlc-Corporativo" 2021-08-20T16:35:31.806756-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Called-Station-Id = "D4-76-A0-46-9F-48:Qlc-Corporativo" 2021-08-20T16:35:31.806760-03:00 PRDFAC-FNT-A radiusd[3903]: (179) NAS-Port-Type = Wireless-802.11 2021-08-20T16:35:31.806765-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Service-Type = Framed-User 2021-08-20T16:35:31.806769-03:00 PRDFAC-FNT-A radiusd[3903]: (179) NAS-Port = 1 2021-08-20T16:35:31.806773-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Fortinet-SSID = "Qlc-Corporativo" 2021-08-20T16:35:31.806777-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Fortinet-AP-Name = "ap_vila_olimpia_01" 2021-08-20T16:35:31.806781-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Calling-Station-Id = "5C-CD-5B-51-0B-03" 2021-08-20T16:35:31.806785-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11AC" 2021-08-20T16:35:31.806789-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Acct-Session-Id = "611FE546000000BB" 2021-08-20T16:35:31.806793-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Acct-Multi-Session-Id = "422E105E5406896B" 2021-08-20T16:35:31.806798-03:00 PRDFAC-FNT-A radiusd[3903]: (179) WLAN-Pairwise-Cipher = 1027076 2021-08-20T16:35:31.806802-03:00 PRDFAC-FNT-A radiusd[3903]: (179) WLAN-Group-Cipher = 1027076 2021-08-20T16:35:31.806807-03:00 PRDFAC-FNT-A radiusd[3903]: (179) WLAN-AKM-Suite = 1027073 2021-08-20T16:35:31.806811-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Framed-MTU = 1400 2021-08-20T16:35:31.806821-03:00 PRDFAC-FNT-A radiusd[3903]: (179) EAP-Message = 0x026e05d40d406961746525323043412c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d677275706f2c44433d7175616c69636f72703f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479307906082b06010505073002866d687474703a2f2f7375626f7264696e6174655f63612e677275706f2e7175616c69636f72702f43657274456e726f6c6c2f50524457494e415030392e677275706f2e7175616c69636f72705f5175616c69636f7270253230496e7465726d65646961746525323043412e637274304f0603551d1104483046a029060a2b060104018237140203a01b0c194142546f6c65646f407175616c69636f72702e636f6d2e627281196162746f6c65646f407175616c69636f72702e636f6d2e6272300d06092a864886f70d01010b05000382 2021-08-20T16:35:31.806825-03:00 PRDFAC-FNT-A radiusd[3903]: (179) State = 0x8839eb508e57e650f7b42b22f3ec8a91 2021-08-20T16:35:31.806829-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Message-Authenticator = 0xdcbbf94f3da30ac13dd24526fccf5a00 2021-08-20T16:35:31.806838-03:00 PRDFAC-FNT-A radiusd[3903]: (179) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.806876-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: ===>NAS IP:10.49.1.129 2021-08-20T16:35:31.806881-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: ===>Username:ABToledo@teste.com 2021-08-20T16:35:31.806887-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: ===>Timestamp:1629488131.806550, age:0ms 2021-08-20T16:35:31.807301-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.814266-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.814670-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.815443-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.815770-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Client type: 0 (subtype: 0) 2021-08-20T16:35:31.815781-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Input Realm: (null) (default realm id: 3) username: ABToledo@teste.com 2021-08-20T16:35:31.816041-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Realm not specified, default goes to remote LDAP, id: 1 2021-08-20T16:35:31.816415-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.816424-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Strip off domain/realm postfix 'qualicorp.com.br' in username 'ABToledo@teste.com' 2021-08-20T16:35:31.816635-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Remote ldap user 'ABToledo' may be a remote admin, try to load admin config in local database 2021-08-20T16:35:31.817094-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: User 'ABToledo' should be a remote admin, try to load its config from DB 2021-08-20T16:35:31.817319-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: User 'ABToledo' is not found in DB as a remote RADIUS admin 2021-08-20T16:35:31.817539-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: User 'ABToledo' is a remote ldap admin 2021-08-20T16:35:31.817972-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.818003-03:00 PRDFAC-FNT-A radiusd[3903]: (179) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.818016-03:00 PRDFAC-FNT-A radiusd[3903]: (179) eap: Expiring EAP session with state 0x17c49a1e10ea97ee 2021-08-20T16:35:31.818023-03:00 PRDFAC-FNT-A radiusd[3903]: (179) eap: Finished EAP session with state 0x8839eb508e57e650 2021-08-20T16:35:31.818032-03:00 PRDFAC-FNT-A radiusd[3903]: (179) eap: Previous EAP request found for state 0x8839eb508e57e650, released from the list 2021-08-20T16:35:31.818051-03:00 PRDFAC-FNT-A radiusd[3903]: (179) eap: EAP session adding &reply:State = 0x8839eb508f56e650 2021-08-20T16:35:31.818065-03:00 PRDFAC-FNT-A radiusd[3903]: (179) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.818075-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Sent Access-Challenge Id 121 from 10.45.14.40:1812 to 10.49.1.129:20124 length 0 2021-08-20T16:35:31.818081-03:00 PRDFAC-FNT-A radiusd[3903]: (179) EAP-Message = 0x016f00060d00 2021-08-20T16:35:31.818087-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Message-Authenticator = 0x00000000000000000000000000000000 2021-08-20T16:35:31.818090-03:00 PRDFAC-FNT-A radiusd[3903]: (179) State = 0x8839eb508f56e650f7b42b22f3ec8a91 2021-08-20T16:35:31.829878-03:00 PRDFAC-FNT-A radiusd[3903]: Waking up in 0.6 seconds. 2021-08-20T16:35:31.829932-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Received Access-Request Id 122 from 10.49.1.129:20124 to 10.45.14.40:1812 length 1729 2021-08-20T16:35:31.829943-03:00 PRDFAC-FNT-A radiusd[3903]: (180) User-Name = "ABToledo@qteste.com" 2021-08-20T16:35:31.829948-03:00 PRDFAC-FNT-A radiusd[3903]: (180) NAS-IP-Address = 0.0.0.0 2021-08-20T16:35:31.829954-03:00 PRDFAC-FNT-A radiusd[3903]: (180) NAS-Identifier = "10.49.1.10/5246-Qlc-Corporativo" 2021-08-20T16:35:31.829959-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Called-Station-Id = "D4-76-A0-46-9F-48:Qlc-Corporativo" 2021-08-20T16:35:31.829966-03:00 PRDFAC-FNT-A radiusd[3903]: (180) NAS-Port-Type = Wireless-802.11 2021-08-20T16:35:31.829972-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Service-Type = Framed-User 2021-08-20T16:35:31.829977-03:00 PRDFAC-FNT-A radiusd[3903]: (180) NAS-Port = 1 2021-08-20T16:35:31.829981-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Fortinet-SSID = "Qlc-Corporativo" 2021-08-20T16:35:31.829985-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Fortinet-AP-Name = "ap_vila_olimpia_01" 2021-08-20T16:35:31.829989-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Calling-Station-Id = "5C-CD-5B-51-0B-03" 2021-08-20T16:35:31.829994-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11AC" 2021-08-20T16:35:31.829998-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Acct-Session-Id = "611FE546000000BB" 2021-08-20T16:35:31.830003-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Acct-Multi-Session-Id = "422E105E5406896B" 2021-08-20T16:35:31.830008-03:00 PRDFAC-FNT-A radiusd[3903]: (180) WLAN-Pairwise-Cipher = 1027076 2021-08-20T16:35:31.830013-03:00 PRDFAC-FNT-A radiusd[3903]: (180) WLAN-Group-Cipher = 1027076 2021-08-20T16:35:31.830018-03:00 PRDFAC-FNT-A radiusd[3903]: (180) WLAN-AKM-Suite = 1027073 2021-08-20T16:35:31.830023-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Framed-MTU = 1400 2021-08-20T16:35:31.830035-03:00 PRDFAC-FNT-A radiusd[3903]: (180) EAP-Message = 0x026f05690d00657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e74864a687474703a2f2f7375626f7264696e6174655f63612e677275706f2e7175616c69636f72702f43657274456e726f6c6c2f5175616c69636f7270253230526f6f7425323043412e63726c3082014006082b06010505070101048201323082012e3081b806082b060105050730028681ab6c6461703a2f2f2f434e3d5175616c69636f7270253230526f6f7425323043412c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d677275706f2c44433d7175616c69636f72703f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479307106082b060105050730028665687474703a2f2f73 2021-08-20T16:35:31.830041-03:00 PRDFAC-FNT-A radiusd[3903]: (180) State = 0x8839eb508f56e650f7b42b22f3ec8a91 2021-08-20T16:35:31.830045-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Message-Authenticator = 0xb54679edc81860423e91605393bd89f4 2021-08-20T16:35:31.830053-03:00 PRDFAC-FNT-A radiusd[3903]: (180) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.830094-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: ===>NAS IP:10.49.1.129 2021-08-20T16:35:31.830105-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: ===>Username:ABToledo@teste.com 2021-08-20T16:35:31.830112-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: ===>Timestamp:1629488131.829767, age:0ms 2021-08-20T16:35:31.830445-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.831242-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.831582-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.832345-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.832655-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Client type: 0 (subtype: 0) 2021-08-20T16:35:31.832664-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Input Realm: (null) (default realm id: 3) username: ABToledo@teste.com 2021-08-20T16:35:31.832915-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Realm not specified, default goes to remote LDAP, id: 1 2021-08-20T16:35:31.833256-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.833265-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Strip off domain/realm postfix 'qualicorp.com.br' in username 'ABToledo@teste.com' 2021-08-20T16:35:31.833467-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Remote ldap user 'ABToledo' may be a remote admin, try to load admin config in local database 2021-08-20T16:35:31.833878-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: User 'ABToledo' should be a remote admin, try to load its config from DB 2021-08-20T16:35:31.834086-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: User 'ABToledo' is not found in DB as a remote RADIUS admin 2021-08-20T16:35:31.834281-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: User 'ABToledo' is a remote ldap admin 2021-08-20T16:35:31.834619-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.834643-03:00 PRDFAC-FNT-A radiusd[3903]: (180) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.834656-03:00 PRDFAC-FNT-A radiusd[3903]: (180) eap: Expiring EAP session with state 0x17c49a1e10ea97ee 2021-08-20T16:35:31.834665-03:00 PRDFAC-FNT-A radiusd[3903]: (180) eap: Finished EAP session with state 0x8839eb508f56e650 2021-08-20T16:35:31.834671-03:00 PRDFAC-FNT-A radiusd[3903]: (180) eap: Previous EAP request found for state 0x8839eb508f56e650, released from the list 2021-08-20T16:35:31.835643-03:00 PRDFAC-FNT-A radiusd[3903]: rlm_eap_tls: Certificate passed CRL check. 2021-08-20T16:35:31.836123-03:00 PRDFAC-FNT-A radiusd[3903]: fn_eap_tls.c: Verifying remote LDAP user cert binding (user: abtoledo, ldap id: 1) 2021-08-20T16:35:31.837359-03:00 PRDFAC-FNT-A radiusd[3903]: rlm_eap_tls: Certificate binding check succeeded. (CN=Anderson Alves Bueno de Toledo, Issuer=/DC=teste/DC=com/CN= Teste Intermediate CA) 2021-08-20T16:35:31.837957-03:00 PRDFAC-FNT-A radiusd[3903]: rlm_eap_tls: Certificate passed CRL check. 2021-08-20T16:35:31.838369-03:00 PRDFAC-FNT-A radiusd[3903]: (180) eap: EAP session adding &reply:State = 0x8839eb508049e650 2021-08-20T16:35:31.838389-03:00 PRDFAC-FNT-A radiusd[3903]: (180) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.838399-03:00 PRDFAC-FNT-A radiusd[3903]: (180) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" 2021-08-20T16:35:31.838404-03:00 PRDFAC-FNT-A radiusd[3903]: (180) TLS-Session-Version = "TLS 1.2" 2021-08-20T16:35:31.838414-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Sent Access-Challenge Id 122 from 10.45.14.40:1812 to 10.49.1.129:20124 length 0 2021-08-20T16:35:31.838423-03:00 PRDFAC-FNT-A radiusd[3903]: (180) EAP-Message = 0x0170003d0d80000000331403030001011603030028edd5c1a035f9ce8c87ea3d2880dfa1d6b7c1d667989a2acdafa4ac1d9ac7fd37a19808510af7a0e7 2021-08-20T16:35:31.838428-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Message-Authenticator = 0x00000000000000000000000000000000 2021-08-20T16:35:31.838432-03:00 PRDFAC-FNT-A radiusd[3903]: (180) State = 0x8839eb508049e650f7b42b22f3ec8a91 2021-08-20T16:35:31.850445-03:00 PRDFAC-FNT-A radiusd[3903]: Waking up in 0.6 seconds. 2021-08-20T16:35:31.850514-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Received Access-Request Id 123 from 10.49.1.129:20124 to 10.45.14.40:1812 length 340 2021-08-20T16:35:31.850522-03:00 PRDFAC-FNT-A radiusd[3903]: (181) User-Name = "ABToledo@teste.com" 2021-08-20T16:35:31.850527-03:00 PRDFAC-FNT-A radiusd[3903]: (181) NAS-IP-Address = 0.0.0.0 2021-08-20T16:35:31.850531-03:00 PRDFAC-FNT-A radiusd[3903]: (181) NAS-Identifier = "10.49.1.10/5246-Qlc-Corporativo" 2021-08-20T16:35:31.850536-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Called-Station-Id = "D4-76-A0-46-9F-48:Qlc-Corporativo" 2021-08-20T16:35:31.850541-03:00 PRDFAC-FNT-A radiusd[3903]: (181) NAS-Port-Type = Wireless-802.11 2021-08-20T16:35:31.850547-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Service-Type = Framed-User 2021-08-20T16:35:31.850551-03:00 PRDFAC-FNT-A radiusd[3903]: (181) NAS-Port = 1 2021-08-20T16:35:31.850554-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Fortinet-SSID = "Qlc-Corporativo" 2021-08-20T16:35:31.850558-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Fortinet-AP-Name = "ap_vila_olimpia_01" 2021-08-20T16:35:31.850562-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Calling-Station-Id = "5C-CD-5B-51-0B-03" 2021-08-20T16:35:31.850581-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11AC" 2021-08-20T16:35:31.850602-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Acct-Session-Id = "611FE546000000BB" 2021-08-20T16:35:31.850608-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Acct-Multi-Session-Id = "422E105E5406896B" 2021-08-20T16:35:31.850614-03:00 PRDFAC-FNT-A radiusd[3903]: (181) WLAN-Pairwise-Cipher = 1027076 2021-08-20T16:35:31.850619-03:00 PRDFAC-FNT-A radiusd[3903]: (181) WLAN-Group-Cipher = 1027076 2021-08-20T16:35:31.850624-03:00 PRDFAC-FNT-A radiusd[3903]: (181) WLAN-AKM-Suite = 1027073 2021-08-20T16:35:31.850633-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Framed-MTU = 1400 2021-08-20T16:35:31.850638-03:00 PRDFAC-FNT-A radiusd[3903]: (181) EAP-Message = 0x027000060d00 2021-08-20T16:35:31.850642-03:00 PRDFAC-FNT-A radiusd[3903]: (181) State = 0x8839eb508049e650f7b42b22f3ec8a91 2021-08-20T16:35:31.850647-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Message-Authenticator = 0xa38e1ef42b16eaa2543fa1aa5843394d 2021-08-20T16:35:31.850658-03:00 PRDFAC-FNT-A radiusd[3903]: (181) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.850706-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: ===>NAS IP:10.49.1.129 2021-08-20T16:35:31.850715-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: ===>Username:ABToledo@teste.com 2021-08-20T16:35:31.850723-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: ===>Timestamp:1629488131.850374, age:0ms 2021-08-20T16:35:31.851133-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.852050-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.852419-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.853156-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.853465-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Client type: 0 (subtype: 0) 2021-08-20T16:35:31.853474-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Input Realm: (null) (default realm id: 3) username: ABToledo@teste.com 2021-08-20T16:35:31.853722-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Realm not specified, default goes to remote LDAP, id: 1 2021-08-20T16:35:31.854074-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.854084-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Strip off domain/realm postfix 'qualicorp.com.br' in username 'ABToledo@teste.com' 2021-08-20T16:35:31.854289-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Remote ldap user 'ABToledo' may be a remote admin, try to load admin config in local database 2021-08-20T16:35:31.854697-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: User 'ABToledo' should be a remote admin, try to load its config from DB 2021-08-20T16:35:31.854907-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: User 'ABToledo' is not found in DB as a remote RADIUS admin 2021-08-20T16:35:31.855111-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: User 'ABToledo' is a remote ldap admin 2021-08-20T16:35:31.855448-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.855472-03:00 PRDFAC-FNT-A radiusd[3903]: (181) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.855484-03:00 PRDFAC-FNT-A radiusd[3903]: (181) eap: Expiring EAP session with state 0x17c49a1e10ea97ee 2021-08-20T16:35:31.855490-03:00 PRDFAC-FNT-A radiusd[3903]: (181) eap: Finished EAP session with state 0x8839eb508049e650 2021-08-20T16:35:31.855499-03:00 PRDFAC-FNT-A radiusd[3903]: (181) eap: Previous EAP request found for state 0x8839eb508049e650, released from the list 2021-08-20T16:35:31.855627-03:00 PRDFAC-FNT-A radiusd[3903]: (181) # Executing section post-auth from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.855650-03:00 PRDFAC-FNT-A radiusd[3903]: (181) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite

-> 'ECDHE-RSA-AES256-GCM-SHA384' 2021-08-20T16:35:31.855656-03:00 PRDFAC-FNT-A radiusd[3903]: (181) &reply::TLS-Session-Version += &session-state:TLS-Session-Version

-> 'TLS 1.2' 2021-08-20T16:35:31.855666-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: EAP authentication success - add configured radius attributes to response 2021-08-20T16:35:31.855674-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: ===>NAS IP:10.49.1.129 2021-08-20T16:35:31.855681-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.856424-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.856739-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.857448-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.857767-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Client type: 0 (subtype: 0) 2021-08-20T16:35:31.857776-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Input Realm: (null) (default realm id: 3) username: ABToledo@teste.com 2021-08-20T16:35:31.858018-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Realm not specified, default goes to remote LDAP, id: 1 2021-08-20T16:35:31.858346-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.858360-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Strip off domain/realm postfix 'qualicorp.com.br' in username 'ABToledo@teste.com' 2021-08-20T16:35:31.858558-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Remote ldap user 'ABToledo' may be a remote admin, try to load admin config in local database 2021-08-20T16:35:31.858956-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: User 'ABToledo' should be a remote admin, try to load its config from DB 2021-08-20T16:35:31.859161-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: User 'ABToledo' is not found in DB as a remote RADIUS admin 2021-08-20T16:35:31.859349-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: User 'ABToledo' is a remote ldap admin 2021-08-20T16:35:31.859670-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.859953-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Searching for groups for username ABToledo 2021-08-20T16:35:31.860742-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Updated auth log 'ABToledo@teste.com': 802.1x authentication successful 2021-08-20T16:35:31.860770-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Sent Access-Accept Id 123 from 10.45.14.40:1812 to 10.49.1.129:20124 length 0 2021-08-20T16:35:31.860780-03:00 PRDFAC-FNT-A radiusd[3903]: (181) MS-MPPE-Recv-Key = 0x4e264c8b981f5ddbfd9ff11526aae8e00897dfabc8a444b90703e959bdf8e576 2021-08-20T16:35:31.860784-03:00 PRDFAC-FNT-A radiusd[3903]: (181) MS-MPPE-Send-Key = 0x1f82d98b8e57f9c27268e1b2fe43e8ef7ecb527604a459c828cb71a98d6a6270 2021-08-20T16:35:31.860789-03:00 PRDFAC-FNT-A radiusd[3903]: (181) EAP-Message = 0x03700004 2021-08-20T16:35:31.860793-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Message-Authenticator = 0x00000000000000000000000000000000 2021-08-20T16:35:31.860799-03:00 PRDFAC-FNT-A radiusd[3903]: (181) User-Name = "ABToledo@teste.com"

xsilver_FTNT

Staff

Hi sorry for later response but log seems to be clear .. auth success within one sec.

If I check State values than:

First Access-Request 121 (at 2021-08-20T16:35:31.806736) generated Access-Challenge 121.

That was responded by Access-Request 122, but generated another Access-Challenge 122.

Which was responded by Access-Request 123.

And that one was responded with Access-Accept Id 123 (at 2021-08-20T16:35:31.860770).

Summary.

AR 2021-08-20T16:35:31.806736

AA 2021-08-20T16:35:31.860770

diff = 0.054034 sec

I do not see any problem.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded