FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Article Id 299922


This article describes that in authentications that include MSCHAPv2, the Winbind tool needs to be configured and FortiNAC must be joined to the domain for the authentications to succeed.




FortiNAC, Windows Server AD.




In later versions of FortiNAC, a new feature has been added that allows it to join the domain using a Kerberos Keytab file for authentication, instead of requiring the admin account password during the Winbind configuration.


The Keytab can be generated from the admin itself in a PowerShell console in Windows AD using the following commands:


> ktpass -out <file name> -princ <account> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -mapuser <account> -pass <password>


For example:


PS C:\Users\Administrator> ktpass -out gimiw.keytab -princ gimi@EB.EU -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -mapuser gimi@EB.EU -pass gimispass

Targeting domain controller:
Failed to set property 'servicePrincipalName' to 'gimi' on Dn 'CN=gimi,OU=Usr,DC=eb,DC=eu': 0x13.
WARNING: Unable to set SPN mapping data.
If gimi already has an SPN mapping installed for gimi, this is no cause for concern.
Password successfully set!
Key created.
Output keytab to gimiw.keytab:
Keytab version: 0x502
keysize 60 gimi@EB.EU ptype 1 (KRB5_NT_PRINCIPAL) vno 7 etype 0x12 (AES256-SHA1) keylength 32 (0x9c68116c0df52b5a8a8dde0dd0f6366a39fbc9f0c7f092af5c198a756f951d32)



The realm/domain in the principal parameter of the command (ex. @EB.EU) need to be in capital letters. More information is available in the Microsoft page: ktpass.


A small file is generated in the directory where this command is executed. This file will be used later on in FortiNAC GUI in the Winbind Configurations.


In the FortiNAC RADIUS configuration page, create a new Winbind instance:



Insert configuration details and import the Keytab file:




Enable Service and check the status:


enable service.png


This Keytab is part of the Samba configuration in the system:


fnacf:~$ ll /etc/samba/
total 9
1 -rw-r--r-- 1 root root 20 Mar 9 2018 lmhosts
4 -rw-rw-r-- 1 root nac 128 Feb 18 12:25 smb.conf
4 -rw-rw-r-- 1 root nac 66 Feb 18 12:25 krb5.keytab


Some details of this file can be shown using the following command:


fnacf:~$ klist -kte /etc/samba/krb5.keytab
Keytab name: FILE:/etc/samba/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
7 01/01/70 01:00:00 gimi@EB.EU (aes256-cts-hmac-sha1-96)


RADIUS logs from an MSCHAPv2 authentication (show in Service Log after setting the Service Log level to Low):


(1) Received Access-Request Id 3 from to length 174
(1)   NAS-Identifier = "FW"
(1)   User-Name = ""
(1)   MS-CHAP2-Response = 0xb8003797cd4108f8ce086b2aca2af3b600770000000000000000543684008df7d29d2c84d873a4d230581a74614383c98c00
(1)   MS-CHAP-Challenge = 0xd507d0b4676b3139b33ed93eb6d4637b
(1)   Framed-IP-Address =
(1)   NAS-IP-Address =
(1)   NAS-Port-Type = Virtual
(1)   Called-Station-Id = ""
(1)   Acct-Session-Id = "58ee4b8c"
(1)   Connect-Info = "test"
(1)   Fortinet-Vdom-Name = "root"
(1) # Executing section authorize from file /etc/raddb/radiusd.conf
(1) # Executing group from file /etc/raddb/radiusd.conf
(1)     ERROR: No NT-Domain was found in the User-Name
(1) # Executing section post-auth from file /etc/raddb/radiusd.conf
(1)       &REST-HTTP-Header += X-NAS-IPv4:
(1)       &REST-HTTP-Header += X-NAS-IPv6:
(1) Login OK: [] (from client port 0)
(1) Sent Access-Accept Id 3 from to length 0
(1)   MS-CHAP2-Success = 0xb8533d36324339424545334533334443324136323639354533443536423231443641444430363835414632
(1)   MS-MPPE-Recv-Key = 0x3c4b4937c3abac70f77f611c2c8a2ab9
(1)   MS-MPPE-Send-Key = 0x424995958846a5d951ba9803b45f3cdb
(1)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(1)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed


Related document:

Administration Guide Winbind section