Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jeremyict
New Contributor

FortiAuthenticator - 802.1x authentication failed

 

When our users want to connect to SSID by checking the option "connect with credential windows" we have the error message "connection failed":


Message of FortiAuthenticator:

802.1x authentication failed => CIRCUS\firstname.lastname

 

 

If they log in manually with their login "firstname.lastname" and password it's works.


Thanks in advanced

6 REPLIES 6
Debbie_FTNT
Staff
Staff

Hey Jeremy,

It's hard to tell what FortiAuthenticator is having an issue with just based on the difference in username format. It could be that it's not matching the correct RADIUS policy, or failing at some stage after matching a RADIUS policy.

You can check the RADIUS debug on FortiAuthenticator via GUI:
https://<FortiAuthenticator>/debug/radius
-> you should see RADIUS requests (and what FortiAuthenticator does with them) there, and it should provide additional information why login with CIRCUS\firstname.lastname fails, but login with firstname.lastname is successful

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Jeremyict

Hey Debbie,

 

Thank you for your answer.

 

  • I only have one rule.
  • My Username format: "realm\username"

My log:

2022-03-22T13:27:34.152827+01:00 FAC1 radiusd[33834]: (274) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
2022-03-22T13:27:34.152834+01:00 FAC1 radiusd[33834]: (274) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
2022-03-22T13:27:34.152838+01:00 FAC1 radiusd[33834]: (274) eap_peap: ERROR: TLS failed during operation
2022-03-22T13:27:34.152841+01:00 FAC1 radiusd[33834]: (274) eap_peap: ERROR: [eaptls process] = fail
2022-03-22T13:27:34.152844+01:00 FAC1 radiusd[33834]: (274) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-03-22T13:27:34.152855+01:00 FAC1 radiusd[33834]: (274) facauth: Updated auth log 'Domain\firstname.lastname': 802.1x authentication failed

Debbie_FTNT

Hey Jeremy,

 

from that snippet, it looks like the Windows PC is trying to initiate an EAP-PEAP connection for auth to FortiAuthenticator, and sends along its client certificate.

That client certificate in turn is not trusted by FortiAuthenticator because it was issued by a CA FortiAuthenticator doesn't know and thus doesn't trust.

 

When your users authenticate successfully (by manualy providing credentials) do you see successful 802.1x authentication or a more generic log message?

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Jeremyict

Yes ,

 

49943+01:00 FAC1 radiusd[33834]: (264) # Executing section post-auth from file /usr/etc/raddb/sites-enabled/default
2022-03-22T13:18:16.849948+01:00 FAC1 radiusd[33834]: (264) &User-Name !* ANY
2022-03-22T13:18:16.850010+01:00 FAC1 radiusd[33834]: (264) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
2022-03-22T13:18:16.850015+01:00 FAC1 radiusd[33834]: (264) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
2022-03-22T13:18:16.850019+01:00 FAC1 radiusd[33834]: (264) &reply::User-Name += &session-state:User-Name[*] -> 'firstname.lastname'
2022-03-22T13:18:16.850023+01:00 FAC1 radiusd[33834]: (264) facauth: EAP authentication success - add configured radius attributes to response
2022-03-22T13:18:16.850067+01:00 FAC1 radiusd[33834]: (264) facauth: ===>NAS IP:10.1.1.33
2022-03-22T13:18:16.850071+01:00 FAC1 radiusd[33834]: (264) facauth: Found authclient from preloaded authclients list for 10.1.1.33: WDC-Wifi-Controller (10.1.1.33)
2022-03-22T13:18:16.851128+01:00 FAC1 radiusd[33834]: (264) facauth: Found authpolicy 'Circus_Office_Policy' for client '10.1.1.33'
2022-03-22T13:18:16.852063+01:00 FAC1 radiusd[33834]: (264) facauth: Pass MAC filtering with group_id=6.
2022-03-22T13:18:16.852073+01:00 FAC1 radiusd[33834]: (264) facauth: Found authclient from preloaded authclients list for 10.1.1.33: WDC-Wifi-Controller (10.1.1.33)
2022-03-22T13:18:16.852933+01:00 FAC1 radiusd[33834]: (264) facauth: Found authpolicy 'Circus_Office_Policy' for client '10.1.1.33'
2022-03-22T13:18:16.853327+01:00 FAC1 radiusd[33834]: (264) facauth: Realm: (null) (default realm id: 3) username: firstname.lastname
2022-03-22T13:18:16.853658+01:00 FAC1 radiusd[33834]: (264) facauth: Realm not specified, default goes to Windows AD, id: 1
2022-03-22T13:18:16.854132+01:00 FAC1 radiusd[33834]: (264) facauth: Loaded remote ldap (regular bind) 10.1.1.100:389
2022-03-22T13:18:16.855710+01:00 FAC1 radiusd[33834]: (264) facauth: Updated auth log 'firstname.lastname': 802.1x authentication successful

joacef
New Contributor

I have a similar probelm. I'm using eap-tls instead of eap-peap. 

I use the FortiAuthenticator as an CA end have created a user certificate. CA + User certificate is imported to my android. Have I missed to trust my CA somewhere in the FAC?

 

2022-07-04T07:39:25.690839-07:00 FortiAuthenticator radiusd[29278]: (111) eap_tls: ERROR: TLS Alert read:fatal:unknown CA
2022-07-04T07:39:25.692159-07:00 FortiAuthenticator radiusd[29278]: (111) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
2022-07-04T07:39:25.692223-07:00 FortiAuthenticator radiusd[29278]: (111) eap_tls: ERROR: TLS failed during operation
2022-07-04T07:39:25.692247-07:00 FortiAuthenticator radiusd[29278]: (111) eap_tls: ERROR: [eaptls process] = fail

joacef
New Contributor

I can reply myself :)

 

I have forget to assign my server certificate.

 

RADIUSService -> Cetificates -> EAP Server Certificate: