NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Article Id 274198


This article describes that In cases where authentication is required to use MSCHAPv2 (usually in Microsoft Windows environments), in order for RADIUS authentication to succeed FortiNAC needs to be domain joined. This requirement comes from this protocol nature that doesn't directly verify the password but the challenge rfc2759


As an example:

Implementing 802.1x with authentication via LDAP credentials in a FortiGate/FortiAP environment using Wireless Enterprise. 

The requirement to use MSCHAPv2 usually comes from Windows supplicant default configuration to authenticate via PEAP.

This method also allows to use of the domain credentials of the current logged-in user, facilitating the login process for end users.

The configurations on the supplicants can also be configured to use EAP-TTLS that can use PAP (unencrypted password, less preferable) and authenticate with plain LDAP without requiring FortiNAC to be domain joined.

The same authentication methods can be used for wired setups with 802.1x, for example, wired users in FortiGate/FortiSwitch.

If to go with MSCHAPv2 is chosen, the domain join of FortiNAC is mandatory.









After enabling the local RADIUS service in FortiNACm it is possible to proceed with Winbind configurations. This is a service that handles the challenge verifications and makes possible validation of the credentials for AD users.


The configurations are done in Network -> RADIUS -> [Winbind] and select Create New


Name (locally significant)

  • Local NetBIOS Name (name of FortiNAC object that will be created in AD).
  • Domain NetBIOS Name.
  • Kerberos Realm Name.Domain Controller Hostname.
  •  AD credentials are used to join FNAC in the domain.



  1.  Select Save Settings.
  2. Select Join Domain.
  3. Select Enable Service.



The status of this service is shown in GUI and can also be checked from CLI:


> net ads testjoin -k
Join is OK
> wbinfo -t
checking the trust secret for domain EB via RPC calls succeeded
> service winbind status
Redirecting to /bin/systemctl status winbind.service
● winbind.service - Samba Winbind Daemon (Persistent)
Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/winbind.service.d
Active: active (running) since Mon 2023-09-18 11:37:58 CEST; 16min ago
> testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
# Global parameters
password server =
realm = EB.EU
security = ADS
workgroup = EB
idmap config * : backend = tdb


Checking authentication for a specific user directly from FortiNAC CLI:


> wbinfo -a EB\\gimi
Enter EB\gimi's password:
plaintext password authentication succeeded
Enter EB\gimi's password:
challenge/response password authentication succeeded


This service needs to be always running in order for the RADIUS authentication to happen normally.


Related article:

Troubleshooting Tip: Local Winbind configuration fails to start