FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 270837
Description This article describes that WSSO SSID users fail to authenticate when using a local group with a Radius server but can authenticate directly with Radius server authentication.
Scope FortiGate v6.x.x and v7.x.x.


FortiGate uses authentication protocol Ms-Chap-v2 to connect with the Radius server and EAP is enabled on the NPS server:


Radius Server Proto.JPG



SSID authentication.JPG


on FortiGate CLI:


diag debug app fnbamd -1

diag debug en 


[587] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'DC-RADIUS' for usergroup 'WiFi' (4)
[342] fnbamd_create_radius_socket-Opened radius socket 12
[342] fnbamd_create_radius_socket-Opened radius socket 13
[1394] fnbamd_radius_auth_send-Compose RADIUS request
[1351] fnbamd_rad_dns_cb->
[1323] __fnbamd_rad_send-Sent radius req to server 'DC-RADIUS': fd=12, IP= code=1 id=57 len=145 user="smi_domain\noah_quercia" using PAP
[319] radius_server_auth-Timer of rad 'DC-RADIUS' is added
[754] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1034] __fnbamd_cfg_get_ldap_list_by_group-
[1150] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 0
[491] ldap_start-Didn't find ldap servers
[633] create_auth_session-Total 1 server(s) to try
[1360] fnbamd_auth_handle_radius_result-Timer of rad 'DC-RADIUS' is deleted
[1802] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3
[1385] fnbamd_auth_handle_radius_result-->Result for radius svr 'DC-RADIUS' is 1
[216] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 439369947, len=3172
[789] destroy_auth_session-delete session 439369947


In the above debugs, Fortigate still uses PAP for the Local Group even when  MS-Chap-v2 is configured on the Radius server settings. Due to this users are unable to authenticate.


FortiGate does not force the authentication protocol for SSID authentication. PEAP authentication needs to be enabled on the end devices. If the end user is a Windows PC, it is necessary to enable EAP-MSCHAP-v2 in the wireless network security of the PC.


Related article:

Configuring WiFi with WSSO using Windows NPS and user groups