Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
ebilcari
Staff
Staff

Created on ‎09-18-2023 03:36 AM

Article Id 274198

Technical Tip: MSCHAPv2 authentication, join FortiNAC in domain and checks

Description

 

This article describes that In cases where authentication is required to use MSCHAPv2 (usually in Microsoft Windows environments), in order for RADIUS authentication to succeed FortiNAC needs to be domain joined. This requirement comes from this protocol nature that doesn't directly verify the password but the challenge rfc2759

 

As an example:

Implementing 802.1x with authentication via LDAP credentials in a FortiGate/FortiAP environment using Wireless Enterprise. 

The requirement to use MSCHAPv2 usually comes from Windows supplicant default configuration to authenticate via PEAP.

This method also allows to use of the domain credentials of the current logged-in user, facilitating the login process for end users.

The configurations on the supplicants can also be configured to use EAP-TTLS that can use PAP (unencrypted password, less preferable) and authenticate with plain LDAP without requiring FortiNAC to be domain joined.

The same authentication methods can be used for wired setups with 802.1x, for example, wired users in FortiGate/FortiSwitch.

If to go with MSCHAPv2 is chosen, the domain join of FortiNAC is mandatory.

 

eap-auth.PNG

Scope

 

FortiNAC.

 

Solution

 

After enabling the local RADIUS service in FortiNACm it is possible to proceed with Winbind configurations. This is a service that handles the challenge verifications and makes possible validation of the credentials for AD users.

 

The configurations are done in Network -> RADIUS -> [Winbind] and select Create New

 

Name (locally significant)

  • Local NetBIOS Name (name of FortiNAC object that will be created in AD).
  • Domain NetBIOS Name.
  • Kerberos Realm Name.Domain Controller Hostname.
  •  AD credentials are used to join FNAC in the domain.

 

winbind.PNG

  1.  Select Save Settings.
  2. Select Join Domain.
  3. Select Enable Service.

status.PNG

 

The status of this service is shown in GUI and can also be checked from CLI:

 

> net ads testjoin -k
Join is OK
---
> wbinfo -t
checking the trust secret for domain EB via RPC calls succeeded
---
> service winbind status
Redirecting to /bin/systemctl status winbind.service
● winbind.service - Samba Winbind Daemon (Persistent)
Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/winbind.service.d
└─winbind.service.conf
Active: active (running) since Mon 2023-09-18 11:37:58 CEST; 16min ago
---
> testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
...
# Global parameters
[global]
password server = dc01.eb.eu
realm = EB.EU
security = ADS
workgroup = EB
idmap config * : backend = tdb

 

Checking authentication for a specific user directly from FortiNAC CLI:

 

> wbinfo -a EB\\gimi
Enter EB\gimi's password:
plaintext password authentication succeeded
Enter EB\gimi's password:
challenge/response password authentication succeeded

 

This service needs to be always running in order for the RADIUS authentication to happen normally.

 

Related article:

Troubleshooting Tip: Local Winbind configuration fails to start

1916
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.