Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
gvenkatesan
Staff
Staff

Created on ‎12-24-2024 06:14 AM

Article Id 366542

Technical Tip: Understanding WPA2-Enterprise EAP-PEAP packet processing by FortiAP managed via FortiGate Firewall

Description This article details the packet flow for SSID operation in both Bridge mode and Tunnel mode.
Scope FortiAP, FortiGate.
Solution

The image below represents the overall process:

  • The client device will be known as the Supplicant.
  • The Radius server will be known as the Authentication Server.

802.1x process.png

 

Process Overview:

  • The client device will establish the wireless link by exchanging the Association-Request and Association-Response frames with the FortiAP.
  • The client device will send the EAPol Start message, to which the FortiAP will respond with an Identity Request message. 
  • The client device will share the Identity with FortiAP via the Identity Response message.
  • This message will be forwarded to the FortiGate firewall by the FortiAP via the CAPWAP-Data tunnel. 
  • The FortiGate upon receiving this packet, will format the RADIUS-ACCESS Request encapsulating the EAP message containing the Identity Response message and this message will be Forwarded/routed to the Authentication Server.
  • The Authentication Server will respond with an EAP PEAP-Start message via RADIUS-Access Challenge message to the FortiGate. 
  • The FortiGate will forward this message via EAPol protocol to the FortiAP via the CAPWAP-Data tunnel. 
  • The FortiAP will forward this message to the client device via the wireless interface.
  • The client Proceeds to exchange a series of messages to prove its identity to the Authentication Server. 
  • Finally, the Authentication Server sends the RADIUS-ACCESS ACCEPT or REJECT message to the FortiGate firewall. 

 

Key Takeaway: 

  • Regardless of the mode of the SSID profiles (Tunnel or Bridged), this process remains the same.
  • The EAPol messages sent by the client device will be forwarded to the FortiGate via the CAPWAP-Data tunnel operating on UDP port 5247.
  • The FortiGate will encapsulate these messages within the RADIUS protocol and send the RADIUS packets to the Authentication Server.
  • The responses from the Authentication Server will be received by FortiGate. The FortiGate extracts the EAP payload and forwards it to the FortiAP via the CAPWAP-Data tunnel.
  • The FortiAP transmits these packets to the client device via the wireless interface on the EAPol protocol.
  • Until the authentication is completed, the packet flow will be the same for both Tunnel and Bridge mode SSID profiles. 
  • Post authentication, the Data traffic will be handled as explained in this community link Technical Tip: SSID Local bridge vs Tunnel mode 

 

Sample packet captures for both modes of operation have been attached to this article. This capture was taken for the CAPWAP-Data tunnel traffic between the FortiAP and the FortiGate while connecting the test client devices to the SSID profiles.  To follow the packet flow, use the filter 'eapol' on the Wireshark application.
WAP2-Enterprise EAP-PEAP.zip
691
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.