Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
samlavender
New Contributor

Created on ‎09-15-2021 12:21 AM

802.1x auth problem between HP Aruba 2530 and FortiAuthenticator

Hello everybody.  I have encountered with problem that concerns auth problem between HP Aruba 2530-48G switch and FAC.  The scheme is:  We have Active Directory integrated in FAC, one of the AD threads has been imported to the FAC. Switch has been configured with commands:

 

Switch HP Aruba 2530-48G RADIUS configuration:

radius-server host 10.1.245.66 key <radius key> aaa authentication port-access eap-radius

aaa port-access authenticator 10

aaa port-access authenticator 10 client-limit 1

aaa port-access authenticator active

 

From the FAC side the next things have been configured: 

1) Added Client (Switch IP address) + shared secret for radius connect. 

2) Created User Group as Remote LDAP type and there was assigned some RADIUS attributes under it like Tunnel-type - VLAN, Tunnel-Medium-Type - IEEE-802 and Tunnel-Private-Group-ID - <vlan number's here>

3) Created Policy (RADIUS Clients -> Added prior created client (switch ip), RADIUS Attribure criteria -> tumbler is off, Authentication type -> Password/OTP, Accept EAP, Accept PEAP tubler's turned on, IDENTITY Source -> AD realm's used, authentication factors -> Every configured password/OTP).  After that, I've configured Windows 10 PC network Ethernet to use 802.1x authentication and when I provide Active Directory user's credentials - the authentication is failed and FAC logs show me info from screenshot. Any idea? 

 

Preview file
52 KB
3065
0 Kudos
1 REPLY 1
xsilver_FTNT
Staff
Staff

Created on ‎09-15-2021 03:38 AM

Check https://Your-FAC-IP-or-FQDN/debug/radius/  for RADIUS debug details. Even without "debug mode" that simpler log should show a plenty of output.

Remote Auth.Servers / LDAP used to contact AD is normal LDAP, or does it have "Windows Active Directory Domain Authentication" set ?

If it's set, is it then in RADIUS Service / Policy / Identity source / "Use Windows AD Domain Authentication" turned on for that LDAP based realm ?

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

2534
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.