Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ganesh_karale
New Contributor III

Created on ‎12-15-2024 11:18 PM

802 1x Certificate based authentication where FNAC is acting as radius

Hi, We are using Aruba as wireless controller and FortiNAC is acting as Local Radius Server, EAP type is TLS and TTLS.

We wanted to enable certificate base authentication for the users who will try to connect wifi.

For Wired users its working perfectly fine but for Wireless Users we seen that the without certificate users are able to connect.. In Radius Logs we seen that the Authentication method is MSCHAPV2, that should not work as its disabled in Radius Default Config.

 

Please guide.

 

 

 

Labels:
304
0 Kudos
5 REPLIES 5
ebilcari
Staff
Staff

Created on ‎12-16-2024 12:56 AM

How many entries are in the RADIUS Local servers?

In the 'Supported EAP Types', only EAP TLS and TTLS are enabled? PEAP/MSCHAPv2 will relay on the Winbind tool to check credentials, if it's not used in this setup you can also limit this authentications by disabling this service.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
292
ganesh_karale
New Contributor III
In response to ebilcari

Created on ‎12-16-2024 01:52 AM

Dear Emirjon

 

Only EAP TLS and TTLS is enabled also the the Winbind is disabled.

 

283
0 Kudos
ebilcari
Staff
Staff
In response to ganesh_karale

Created on ‎12-16-2024 02:04 AM

Than this is technically not possible, make sure the hosts are not currently authenticating with TTLS, that is practically the same as PEAP but the password are in clear text (not using the challenges). At least for testing you can also create a new local server with only TLS selected and use it in model configuration of the WLC.
Keep in mind that even if the RADIUS server doesn't support a type of authentication, it doesn't prevent the hosts from attempting it. As long as the requests are EAP-based, the WLC will forward them to FNAC.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
258
ganesh_karale
New Contributor III
In response to ebilcari

Created on ‎12-16-2024 11:42 PM

Sorry Emirjon, unable to understand what you are trying to convey.

224
0 Kudos
ebilcari
Staff
Staff
In response to ganesh_karale

Created on ‎12-17-2024 02:26 AM

Authentications that use PEAP/MSCHAPv2 can not be successful if there is no Winbind instance running in FNAC so this statement can not technically happen " for Wireless Users we seen that the without certificate users are able to connect.. In Radius Logs we seen that the Authentication method is MSCHAPV2"

Maybe you are misinterpreting the logs from the successful TTLS authentications or you are just seeing the hosts requests that are using PEAP but this authentication should fail in the end if there is no Winbind instance to check their challenges.

 

To avoid the confusion, I was suggesting to add another local server for TLS only as shown below:

tls-only.PNG

 

and use it at the WLC model configuration:

mode-rad.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
209
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.