Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
agomes
Staff
Staff

Created on ‎03-07-2025 04:34 AM Edited on ‎03-07-2025 04:59 AM

Article Id 380839

Technical Tip: 8021x PEAP MSCHAP-V2 with FortiAuthenticator and FortiNAC as RADIUS proxy

Description

This article describes setting up 802.1x MSCHAP-v2 Authentication with FortiAuthenticator and FortiNAC as proxy radius.
Scope

FortiAuthenticator v6.x and earlier; FortiNAC 9.x and earlier
Solution

Topology:

 

2025-03-06 16_14_32-Excalidraw and 19 more pages - Personal - Microsoft​ Edge.png

 

Follow these steps below to start the configuration.

 

  1. Add FortiAuthenticator on a specific domain. Enable the option 'Windows Active Domain Authentication'.

 

2025-03-06 15_55_50-FortiAuthenticator and 19 more pages - Personal - Microsoft​ Edge.png

 

  1. After adding the FortiAuthenticator on a domain, check the results under Monitor -> Authentication -> Windows AD.

 

2025-03-06 15_59_33-FortiAuthenticator and 19 more pages - Personal - Microsoft​ Edge.png

 

  1. Open the FortiNAC and go to the Network -> RADIUS -> Proxy and add the FortiAuthenticator settings.

 

2025-03-06 16_16_42-fnc__9.4__FortiNAC-VM-CA and 19 more pages - Personal - Microsoft​ Edge.png

 

  1. While still on the FortiNAC, go to Network -> Inventory, select the switch configured to connect the workstation, enable the option Radius authentication, and select Proxy as the Mode. Choose the FortiAuthenticator and insert the Shared Secret.

2025-03-06 16_18_57-fnc__9.4__FortiNAC-VM-CA and 19 more pages - Personal - Microsoft​ Edge.png

 

  1. Go to FortiAuthenticator to configure the RADIUS Client, Realm, and policy to authenticate the workstation (User and Machine).
    1. Go to Authentication -> RADIUS Service -> Clients.
    2. Add the client with the correct RADIUS secret. 

 

2025-03-06 17_24_26-FortiAuthenticator and 19 more pages - Personal - Microsoft​ Edge.png

 

    1. Go to User Management -> Realms to add a realm to be used in a RADIUS policy. Select the LDAP server configured before as a source.

2025-03-06 16_24_42-FortiAuthenticator - Personal - Microsoft​ Edge.png

 

    1. Go to Authentication -> Radius Service -> Policies.
    2. In the RADIUS Client, add the FortiNAC configured as a client before.

 

2025-03-06 17_22_56-FortiAuthenticator and 19 more pages - Personal - Microsoft​ Edge.png

 

Under the Authentication Type, select Access EAP and PEAP.

 

2025-03-06 16_42_42-FortiAuthenticator - Personal - Microsoft​ Edge.png

 

    1. Under Identity Sources, check the option 'Use default realm...'. Enable the option to use Windows AD Authentication and filter by a group. This group needs to have all members who will be authenticated (users and machines). If necessary, add more than one group.

 

2025-03-06 16_44_32-FortiAuthenticator - Personal - Microsoft​ Edge.png

 

    1. In Authentication Factors, under Device authorization, enable the option 'Windows AD computer authentication'.

 

2025-03-06 16_47_35-FortiAuthenticator - Personal - Microsoft​ Edge.png

 

  1. After all these configurations, the switch must be configured to enable 802.1x authentication on its interfaces. This article does not cover this configuration. 
  2. Enable the 802.1x supplicant in the workstation (Windows) starting the service called 'Wired AutoConfig'.
  3. Go to the network interfaces on Windows, right-click it, and go to properties.
  4. Go to the Authentication tab and enable the option 'Enable IEEE 802.1x authentication'.
  5. Choose the 'Microsoft: Protected EAP (PEAP)' method.
  6. Select the Additional Settings button and set the option 'Specify authentication mode' to 'User or computer authentication'.
  7. Return to the Authentication tab and select the Settings button.
  8. Check the option 'Enable Fast Reconnect', uncheck all other options, and select 'Secured Password (EAP-MSCHAP-v2)' as the authentication method.
  9. Select the Configure button and check the option to Automatically use Windows logon.
  10. Select the OK button to save these configurations. If all configurations work as expected, the user will be authenticated using the 802.1x protocol.

 

To check the logs, go to the FortiAuthenticator debug page with the FortiAuthenticator IP: https://<FortiAuthenticator_ IP>/debug

 

Go to Radius -> Authentication.

 

Select the 'Enter debug mode' button.

 

User authentication log successful.

  

2025-03-06T17:22:14.516022-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: ===>NAS IP:172.16.1.121
2025-03-06T17:22:14.516071-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: Comparing client IP 172.16.1.121 with authclient FSW-SITE-A (192.168.5.3, 1 IPs)
2025-03-06T17:22:14.516153-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: Comparing client IP 172.16.1.121 with authclient SW-ACCESS-SITE-A (192.168.5.2, 1 IPs)
2025-03-06T17:22:14.516199-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: Comparing client IP 172.16.1.121 with authclient FortiNAC (172.16.1.121, 1 IPs)
2025-03-06T17:22:14.516261-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: ------> matched!
2025-03-06T17:22:14.516325-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: Found authclient from preloaded authclients list for 172.16.1.121: FortiNAC (172.16.1.121)
2025-03-06T17:22:14.516368-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: authclient_id:2 auth_type:'password'
2025-03-06T17:22:14.518474-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: Found authpolicy 'POL-AUTH-802.1X-MSCHAP' for client '172.16.1.121'
2025-03-06T17:22:14.518538-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: Client type: external (subtype: radius)
2025-03-06T17:22:14.518580-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: Input raw_username: (null) Realm: (null) username: LAB\agomes
2025-03-06T17:22:14.518709-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: Searching default realm as well
2025-03-06T17:22:14.518759-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: Realm not specified, default goes to Windows AD, id: 1
2025-03-06T17:22:14.519010-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: Loaded remote ldap (regular bind) 172.16.1.253:389
2025-03-06T17:22:14.519064-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: Strip off domain/realm prefix 'LAB' in username 'LAB\agomes'
2025-03-06T17:22:14.519972-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: skip ldap user search
2025-03-06T17:22:14.520017-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2025-03-06T17:22:14.520060-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject]
2025-03-06T17:22:14.520102-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: none]
2025-03-06T17:22:14.528501-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: machine auth override: authpolicy_id 4 auth_result 0
2025-03-06T17:22:14.529850-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: EAP authentication success - add configured radius attributes to response
2025-03-06T17:22:14.532748-03:00 FortiAuthenticator radiusd[7548]: (16) facauth: Updated auth log 'LAB\agomes': 802.1x authentication successful

 

Machine authentication log successful.

 

2025-03-06T17:30:31.057221-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: ===>NAS IP:172.16.1.121 
2025-03-06T17:30:31.057232-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: Comparing client IP 172.16.1.121 with authclient FSW-SITE-A (192.168.5.3, 1 IPs) 
2025-03-06T17:30:31.057236-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: Comparing client IP 172.16.1.121 with authclient SW-ACCESS-SITE-A (192.168.5.2, 1 IPs) 
2025-03-06T17:30:31.057240-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: Comparing client IP 172.16.1.121 with authclient FortiNAC (172.16.1.121, 1 IPs) 
2025-03-06T17:30:31.057244-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: ------> matched! 
2025-03-06T17:30:31.057248-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: Found authclient from preloaded authclients list for 172.16.1.121: FortiNAC (172.16.1.121) 
2025-03-06T17:30:31.057252-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: authclient_id:2 auth_type:'password' 
2025-03-06T17:30:31.058077-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: Found authpolicy 'POL-AUTH-802.1X-MSCHAP' for client '172.16.1.121' 
2025-03-06T17:30:31.058103-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: Client type: external (subtype: radius) 
2025-03-06T17:30:31.058108-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: Input raw_username: (null) Realm: (null) username: host/WKS-SITE-A.lab.local 
2025-03-06T17:30:31.058112-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: Searching default realm as well
2025-03-06T17:30:31.058117-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: Realm not specified, default goes to Windows AD, id: 1 
2025-03-06T17:30:31.058124-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: Loaded remote ldap (regular bind) 172.16.1.253:389 
2025-03-06T17:30:31.058131-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: Device authentication requested. 
2025-03-06T17:30:31.058551-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: get_rldap_user_attr: Skip ldap search for Windows AD machine account 
2025-03-06T17:30:31.058558-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0] 
2025-03-06T17:30:31.058564-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject] 
2025-03-06T17:30:31.058569-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: undefined] 
2025-03-06T17:30:31.114015-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: machine auth override: authpolicy_id 4 auth_result 1 
2025-03-06T17:30:31.114498-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: EAP authentication success - add configured radius attributes to response 
2025-03-06T17:30:31.114544-03:00 FortiAuthenticator radiusd[7548]: (28) facauth: Updated auth log 'host/WKS-SITE-A.lab.local': 802.1x authentication successful
135
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.