Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jeremyict
New Contributor

FortiAuthenticator - 802.1x authentication failed

 

When our users want to connect to SSID by checking the option "connect with credential windows" we have the error message "connection failed":


Message of FortiAuthenticator:

802.1x authentication failed => CIRCUS\firstname.lastname

 

 

If they log in manually with their login "firstname.lastname" and password it's works.


Thanks in advanced

9 REPLIES 9
Debbie_FTNT
Staff
Staff

Hey Jeremy,

It's hard to tell what FortiAuthenticator is having an issue with just based on the difference in username format. It could be that it's not matching the correct RADIUS policy, or failing at some stage after matching a RADIUS policy.

You can check the RADIUS debug on FortiAuthenticator via GUI:
https://<FortiAuthenticator>/debug/radius
-> you should see RADIUS requests (and what FortiAuthenticator does with them) there, and it should provide additional information why login with CIRCUS\firstname.lastname fails, but login with firstname.lastname is successful

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Jeremyict

Hey Debbie,

 

Thank you for your answer.

 

  • I only have one rule.
  • My Username format: "realm\username"

My log:

2022-03-22T13:27:34.152827+01:00 FAC1 radiusd[33834]: (274) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
2022-03-22T13:27:34.152834+01:00 FAC1 radiusd[33834]: (274) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
2022-03-22T13:27:34.152838+01:00 FAC1 radiusd[33834]: (274) eap_peap: ERROR: TLS failed during operation
2022-03-22T13:27:34.152841+01:00 FAC1 radiusd[33834]: (274) eap_peap: ERROR: [eaptls process] = fail
2022-03-22T13:27:34.152844+01:00 FAC1 radiusd[33834]: (274) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-03-22T13:27:34.152855+01:00 FAC1 radiusd[33834]: (274) facauth: Updated auth log 'Domain\firstname.lastname': 802.1x authentication failed

Debbie_FTNT

Hey Jeremy,

 

from that snippet, it looks like the Windows PC is trying to initiate an EAP-PEAP connection for auth to FortiAuthenticator, and sends along its client certificate.

That client certificate in turn is not trusted by FortiAuthenticator because it was issued by a CA FortiAuthenticator doesn't know and thus doesn't trust.

 

When your users authenticate successfully (by manualy providing credentials) do you see successful 802.1x authentication or a more generic log message?

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Jeremyict

Yes ,

 

49943+01:00 FAC1 radiusd[33834]: (264) # Executing section post-auth from file /usr/etc/raddb/sites-enabled/default
2022-03-22T13:18:16.849948+01:00 FAC1 radiusd[33834]: (264) &User-Name !* ANY
2022-03-22T13:18:16.850010+01:00 FAC1 radiusd[33834]: (264) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
2022-03-22T13:18:16.850015+01:00 FAC1 radiusd[33834]: (264) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
2022-03-22T13:18:16.850019+01:00 FAC1 radiusd[33834]: (264) &reply::User-Name += &session-state:User-Name[*] -> 'firstname.lastname'
2022-03-22T13:18:16.850023+01:00 FAC1 radiusd[33834]: (264) facauth: EAP authentication success - add configured radius attributes to response
2022-03-22T13:18:16.850067+01:00 FAC1 radiusd[33834]: (264) facauth: ===>NAS IP:10.1.1.33
2022-03-22T13:18:16.850071+01:00 FAC1 radiusd[33834]: (264) facauth: Found authclient from preloaded authclients list for 10.1.1.33: WDC-Wifi-Controller (10.1.1.33)
2022-03-22T13:18:16.851128+01:00 FAC1 radiusd[33834]: (264) facauth: Found authpolicy 'Circus_Office_Policy' for client '10.1.1.33'
2022-03-22T13:18:16.852063+01:00 FAC1 radiusd[33834]: (264) facauth: Pass MAC filtering with group_id=6.
2022-03-22T13:18:16.852073+01:00 FAC1 radiusd[33834]: (264) facauth: Found authclient from preloaded authclients list for 10.1.1.33: WDC-Wifi-Controller (10.1.1.33)
2022-03-22T13:18:16.852933+01:00 FAC1 radiusd[33834]: (264) facauth: Found authpolicy 'Circus_Office_Policy' for client '10.1.1.33'
2022-03-22T13:18:16.853327+01:00 FAC1 radiusd[33834]: (264) facauth: Realm: (null) (default realm id: 3) username: firstname.lastname
2022-03-22T13:18:16.853658+01:00 FAC1 radiusd[33834]: (264) facauth: Realm not specified, default goes to Windows AD, id: 1
2022-03-22T13:18:16.854132+01:00 FAC1 radiusd[33834]: (264) facauth: Loaded remote ldap (regular bind) 10.1.1.100:389
2022-03-22T13:18:16.855710+01:00 FAC1 radiusd[33834]: (264) facauth: Updated auth log 'firstname.lastname': 802.1x authentication successful

joacef
New Contributor

I have a similar probelm. I'm using eap-tls instead of eap-peap. 

I use the FortiAuthenticator as an CA end have created a user certificate. CA + User certificate is imported to my android. Have I missed to trust my CA somewhere in the FAC?

 

2022-07-04T07:39:25.690839-07:00 FortiAuthenticator radiusd[29278]: (111) eap_tls: ERROR: TLS Alert read:fatal:unknown CA
2022-07-04T07:39:25.692159-07:00 FortiAuthenticator radiusd[29278]: (111) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
2022-07-04T07:39:25.692223-07:00 FortiAuthenticator radiusd[29278]: (111) eap_tls: ERROR: TLS failed during operation
2022-07-04T07:39:25.692247-07:00 FortiAuthenticator radiusd[29278]: (111) eap_tls: ERROR: [eaptls process] = fail

joacef
New Contributor

I can reply myself :)

 

I have forget to assign my server certificate.

 

RADIUSService -> Cetificates -> EAP Server Certificate:

heriherwanto
New Contributor III

Hi guys,

 

I have some question, Can we use FortiAuthenticator without FortiAP. For the example, for the Access Point we use TP-Link or Mikrotik or other brand?

Markus_M

Hi heriherwanto,

 

You should probably open another thread with your question instead of attaching to another topic.

Answer to question: Yes. FortiAuthenticator does not care where a RADIUS Access-Request comes from. If one is made and received by FortiAuthenticator you can set it up to respond on it. Be it FortiGate, Wireless APs with WPA-Enterprise, RADIUS enabled switch ports or whatever else.

 

Best regards,

 

Markus

heriherwanto
New Contributor III

Dear All

 

I have some problem connecting from Mikrotik to FortiAuthenticator using EAP-PEAP.

When I try to login and appear user and password also certificate is show after login.

But, after login always back to login form again ( I see on Debug, there is information 

facauth: Updated auth log 'xxxx': Remote LDAP user authentication(mschap) with no token failed: invalid password

 

Here is the error

2022-10-18T15:27:44.515470+07:00 FACMHP radiusd[13111]: (36) Service-Type = Framed-User
2022-10-18T15:27:44.515489+07:00 FACMHP radiusd[13111]: (36) Framed-MTU = 1400
2022-10-18T15:27:44.515506+07:00 FACMHP radiusd[13111]: (36) User-Name = "misniru"
2022-10-18T15:27:44.515521+07:00 FACMHP radiusd[13111]: (36) State = 0xf5f9f6cbf3feef1a848cdbc5d2466720
2022-10-18T15:27:44.515535+07:00 FACMHP radiusd[13111]: (36) NAS-Port-Id = "wlan1"
2022-10-18T15:27:44.515550+07:00 FACMHP radiusd[13111]: (36) NAS-Port-Type = Wireless-802.11
2022-10-18T15:27:44.515564+07:00 FACMHP radiusd[13111]: (36) Acct-Session-Id = "8230002b"
2022-10-18T15:27:44.515582+07:00 FACMHP radiusd[13111]: (36) Acct-Multi-Session-Id = "C4-AD-34-B4-7B-03-60-57-18-64-B6-6C-82-30-00-00-00-00-00-2B"
2022-10-18T15:27:44.515597+07:00 FACMHP radiusd[13111]: (36) Calling-Station-Id = "60-57-18-64-B6-6C"
2022-10-18T15:27:44.515614+07:00 FACMHP radiusd[13111]: (36) Called-Station-Id = "C4-AD-34-B4-7B-03:TEST PEAP FORTIAUTH"
2022-10-18T15:27:44.515896+07:00 FACMHP radiusd[13111]: (36) EAP-Message = 0x02070061190017030300560000000000000002b2c1e459405fe42d3e6c1ba17678bbc4a20ea240349b923fa629d1e957db2d8bc679ad43437ac3efb4ea7d436f3ee5575cdb1fa1b6f75951582337846c160e51eaeef1a9c110e84cbbaf0a804bbd
2022-10-18T15:27:44.515930+07:00 FACMHP radiusd[13111]: (36) Message-Authenticator = 0xf9a91c6a725efd26076695e8f9d1046e
2022-10-18T15:27:44.515945+07:00 FACMHP radiusd[13111]: (36) NAS-Identifier = "TESTRADIUS"
2022-10-18T15:27:44.515961+07:00 FACMHP radiusd[13111]: (36) NAS-IP-Address = 192.168.100.229
2022-10-18T15:27:44.515990+07:00 FACMHP radiusd[13111]: (36) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2022-10-18T15:27:44.516048+07:00 FACMHP radiusd[13111]: (36) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-10-18T15:27:44.516073+07:00 FACMHP radiusd[13111]: (36) eap: Expiring EAP session with state 0x5747ac085740b6d4
2022-10-18T15:27:44.516092+07:00 FACMHP radiusd[13111]: (36) eap: Finished EAP session with state 0xf5f9f6cbf3feef1a
2022-10-18T15:27:44.516111+07:00 FACMHP radiusd[13111]: (36) eap: Previous EAP request found for state 0xf5f9f6cbf3feef1a, released from the list
2022-10-18T15:27:44.516214+07:00 FACMHP radiusd[13111]: (36) Virtual server inner-tunnel received request
2022-10-18T15:27:44.516235+07:00 FACMHP radiusd[13111]: (36) EAP-Message = 0x020700421a0207003d31aac77ca599298bf58cbc3b194e039450000000000000000007656153eee9ab75abdc8f04ccf3d5069560ff816d4fcecb006d69736e697275
2022-10-18T15:27:44.516407+07:00 FACMHP radiusd[13111]: (36) FreeRADIUS-Proxied-To = 127.0.0.1
2022-10-18T15:27:44.516488+07:00 FACMHP radiusd[13111]: (36) User-Name = "misniru"
2022-10-18T15:27:44.516517+07:00 FACMHP radiusd[13111]: (36) State = 0x5747ac085740b6d4c877df7f7ac832b3
2022-10-18T15:27:44.516539+07:00 FACMHP radiusd[13111]: (36) Service-Type = Framed-User
2022-10-18T15:27:44.516557+07:00 FACMHP radiusd[13111]: (36) Framed-MTU = 1400
2022-10-18T15:27:44.516572+07:00 FACMHP radiusd[13111]: (36) NAS-Port-Id = "wlan1"
2022-10-18T15:27:44.516589+07:00 FACMHP radiusd[13111]: (36) NAS-Port-Type = Wireless-802.11
2022-10-18T15:27:44.516604+07:00 FACMHP radiusd[13111]: (36) Acct-Session-Id = "8230002b"
2022-10-18T15:27:44.516623+07:00 FACMHP radiusd[13111]: (36) Acct-Multi-Session-Id = "C4-AD-34-B4-7B-03-60-57-18-64-B6-6C-82-30-00-00-00-00-00-2B"
2022-10-18T15:27:44.516640+07:00 FACMHP radiusd[13111]: (36) Calling-Station-Id = "60-57-18-64-B6-6C"
2022-10-18T15:27:44.516656+07:00 FACMHP radiusd[13111]: (36) Called-Station-Id = "C4-AD-34-B4-7B-03:TEST PEAP FORTIAUTH"
2022-10-18T15:27:44.516671+07:00 FACMHP radiusd[13111]: (36) NAS-Identifier = "TESTRADIUS"
2022-10-18T15:27:44.516688+07:00 FACMHP radiusd[13111]: (36) NAS-IP-Address = 192.168.100.229
2022-10-18T15:27:44.516707+07:00 FACMHP radiusd[13111]: (36) Event-Timestamp = "Oct 18 2022 15:27:44 ICT"
2022-10-18T15:27:44.516725+07:00 FACMHP radiusd[13111]: (36) WARNING: Outer and inner identities are the same. User privacy is compromised.
2022-10-18T15:27:44.516739+07:00 FACMHP radiusd[13111]: (36) server inner-tunnel {
2022-10-18T15:27:44.516769+07:00 FACMHP radiusd[13111]: (36) # Executing section authorize from file /usr/etc/raddb/sites-enabled/inner-tunnel
2022-10-18T15:27:44.516814+07:00 FACMHP radiusd[13111]: (36) &Proxy-To-Realm := LOCAL
2022-10-18T15:27:44.516890+07:00 FACMHP radiusd[13111]: (36) facauth: ===>NAS IP:192.168.100.229
2022-10-18T15:27:44.516907+07:00 FACMHP radiusd[13111]: (36) facauth: ===>Username:misniru
2022-10-18T15:27:44.516926+07:00 FACMHP radiusd[13111]: (36) facauth: WARNING: client 192.168.100.229, id=36, cannot get request arrival time.
2022-10-18T15:27:44.516975+07:00 FACMHP radiusd[13111]: (36) facauth: Found authclient from preloaded authclients list for 192.168.100.229: Mikrotik (192.168.100.229)
2022-10-18T15:27:44.520153+07:00 FACMHP radiusd[13111]: Waking up in 0.6 seconds.
2022-10-18T15:27:44.520294+07:00 FACMHP radiusd[13111]: (36) facauth: Found authpolicy 'FG-MIS' for client '192.168.100.229'
2022-10-18T15:27:44.521836+07:00 FACMHP radiusd[13111]: (36) facauth: Found authclient from preloaded authclients list for 192.168.100.229: Mikrotik (192.168.100.229)
2022-10-18T15:27:44.524520+07:00 FACMHP radiusd[13111]: (36) facauth: Found authpolicy 'FG-MIS' for client '192.168.100.229'
2022-10-18T15:27:44.525996+07:00 FACMHP radiusd[13111]: (36) facauth: Client type: 0 (subtype: 0)
2022-10-18T15:27:44.526091+07:00 FACMHP radiusd[13111]: (36) facauth: Input Realm: (null) (default realm id: 2) username: misniru
2022-10-18T15:27:44.527372+07:00 FACMHP radiusd[13111]: (36) facauth: Realm not specified, default goes to remote LDAP, id: 1
2022-10-18T15:27:44.527455+07:00 FACMHP radiusd[13111]: (36) facauth: FAC local user overrides, try searching local user first
2022-10-18T15:27:44.529147+07:00 FACMHP radiusd[13111]: (36) facauth: Local user not found, try searching remote user
2022-10-18T15:27:44.533959+07:00 FACMHP radiusd[13111]: (36) # Executing group from file /usr/etc/raddb/sites-enabled/inner-tunnel
2022-10-18T15:27:44.534057+07:00 FACMHP radiusd[13111]: (36) eap: Expiring EAP session with state 0x5747ac085740b6d4
2022-10-18T15:27:44.534078+07:00 FACMHP radiusd[13111]: (36) eap: Finished EAP session with state 0x5747ac085740b6d4
2022-10-18T15:27:44.534099+07:00 FACMHP radiusd[13111]: (36) eap: Previous EAP request found for state 0x5747ac085740b6d4, released from the list
2022-10-18T15:27:44.534141+07:00 FACMHP radiusd[13111]: (36) eap_mschapv2: PEAP: Setting 'Auth-Type := FACAUTH'
2022-10-18T15:27:44.534164+07:00 FACMHP radiusd[13111]: (36) eap_mschapv2: # Executing group from file /usr/etc/raddb/sites-enabled/inner-tunnel
2022-10-18T15:27:44.534218+07:00 FACMHP radiusd[13111]: (36) facauth: Found authclient from preloaded authclients list for 192.168.100.229: Mikrotik (192.168.100.229)
2022-10-18T15:27:44.536799+07:00 FACMHP radiusd[13111]: (36) facauth: Found authpolicy 'FG-MIS' for client '192.168.100.229'
2022-10-18T15:27:44.538045+07:00 FACMHP radiusd[13111]: (36) facauth: Client type: 0 (subtype: 0)
2022-10-18T15:27:44.538140+07:00 FACMHP radiusd[13111]: (36) facauth: Input Realm: (null) (default realm id: 2) username: misniru
2022-10-18T15:27:44.539046+07:00 FACMHP radiusd[13111]: (36) facauth: Realm not specified, default goes to remote LDAP, id: 1
2022-10-18T15:27:44.539126+07:00 FACMHP radiusd[13111]: (36) facauth: FAC local user overrides, try searching local user first
2022-10-18T15:27:44.540506+07:00 FACMHP radiusd[13111]: (36) facauth: Local user not found, try searching remote user
2022-10-18T15:27:44.544284+07:00 FACMHP radiusd[13111]: (36) facauth: LDAP user found: misniru
2022-10-18T15:27:44.545042+07:00 FACMHP radiusd[13111]: (36) facauth: Remote ldap user 'misniru': NULL password is not allowed
2022-10-18T15:27:44.545121+07:00 FACMHP radiusd[13111]: (36) facauth: Remote LDAP user authentication failed
2022-10-18T15:27:44.547681+07:00 FACMHP radiusd[13111]: (36) facauth: Updated auth log 'misniru': Remote LDAP user authentication(mschap) with no token failed: invalid password
2022-10-18T15:27:44.547756+07:00 FACMHP radiusd[13111]: (36) # Executing group from file /usr/etc/raddb/sites-enabled/inner-tunnel
2022-10-18T15:27:44.547877+07:00 FACMHP radiusd[13111]: (36) } # server inner-tunnel
2022-10-18T15:27:44.547948+07:00 FACMHP radiusd[13111]: (36) Virtual server sending reply
2022-10-18T15:27:44.547967+07:00 FACMHP radiusd[13111]: (36) EAP-Message = 0x04070004
2022-10-18T15:27:44.547982+07:00 FACMHP radiusd[13111]: (36) Message-Authenticator = 0x00000000000000000000000000000000
2022-10-18T15:27:44.548117+07:00 FACMHP radiusd[13111]: (36) eap: EAP session adding &reply:State = 0xf5f9f6cbf2f1ef1a
2022-10-18T15:27:44.548205+07:00 FACMHP radiusd[13111]: (36) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-10-18T15:27:44.548233+07:00 FACMHP radiusd[13111]: (36) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2022-10-18T15:27:44.548248+07:00 FACMHP radiusd[13111]: (36) TLS-Session-Version = "TLS 1.2"
2022-10-18T15:27:44.548281+07:00 FACMHP radiusd[13111]: (36) Sent Access-Challenge Id 138 from 192.168.100.248:1812 to 192.168.100.229:47620 length 0
2022-10-18T15:27:44.548354+07:00 FACMHP radiusd[13111]: (36) EAP-Message = 0x0108002e19001703030023cefc6abedd8931ac35ecd595fb032a20ca16275e020e0cc8980ffa2320ef05236f9e50
2022-10-18T15:27:44.548370+07:00 FACMHP radiusd[13111]: (36) Message-Authenticator = 0x00000000000000000000000000000000
2022-10-18T15:27:44.548384+07:00 FACMHP radiusd[13111]: (36) State = 0xf5f9f6cbf2f1ef1a848cdbc5d2466720

 

Please, help us if anybody have a experience related this problem.