Description
This article describes that in cases where authentication is required to use MSCHAPv2 (usually in Microsoft Windows environments), in order for RADIUS authentication to succeed, FortiNAC needs to be domain-joined. This requirement comes from this protocol nature which does not directly verify the password but the challenge RFC 2759.
As an example:
Implementing 802.1x with authentication via LDAP credentials in a FortiGate/FortiAP environment using Wireless Enterprise.
The requirement to use MSCHAPv2 usually comes from the Windows supplicant default configuration to authenticate via PEAP.
This method also allows to use of the domain credentials of the current logged-in user, facilitating the login process for end users.
The configurations on the supplicants can also be configured to use EAP-TTLS, which can use PAP (unencrypted password, less preferable) and authenticate with plain LDAP without requiring FortiNAC to be domain joined.
The same authentication methods can be used for wired setups with 802.1x, for example, wired users in FortiGate/FortiSwitch.
If to go with MSCHAPv2 is chosen, the domain join of FortiNAC is mandatory.
Scope
FortiNAC.
Solution
After enabling the local RADIUS service in FortiNAC, it is possible to proceed with Winbind configurations. This is a service that handles the challenge verifications and makes it possible to validate the credentials for AD users.
The configurations are done in Network -> RADIUS -> [Winbind] and select Create New.
Name (locally significant):
- Local NetBIOS Name (name of FortiNAC object that will be created in AD).
- Domain NetBIOS Name. (Note: The Domain NetBIOS Name must be in upper Case 'EB').
- Kerberos Realm Name.Domain Controller Hostname.
- AD credentials are used to join FNAC in the domain.
- Select Save Settings.
- Select Join Domain.
- Select Enable Service.
The status of this service is shown in the GUI and can also be checked from the CLI:
net ads testjoin -k
Join is OK
---
> wbinfo -t
checking the trust secret for domain EB via RPC calls succeeded
---
> service winbind status
Redirecting to /bin/systemctl status winbind.service
● winbind.service - Samba Winbind Daemon (Persistent)
Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/winbind.service.d
└─winbind.service.conf
Active: active (running) since Mon 2023-09-18 11:37:58 CEST; 16min ago
---
testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
...
# Global parameters
[global]
password server = dc01.eb.eu
realm = EB.EU
security = ADS
workgroup = EB
idmap config * : backend = tdb
Checking authentication for a specific user directly from FortiNAC CLI:
wbinfo -a EB\\gimi
Enter EB\gimi's password:
plaintext password authentication succeeded
Enter EB\gimi's password:
challenge/response password authentication succeeded
This service needs to always be running in order for the RADIUS authentication to happen normally.
Related articles:
Technical Tip: Create an additional Winbind instance for a second domain
Troubleshooting Tip: Local Winbind configuration fails to start
