- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Authentication format on FortiConnect
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Authentication format on FortiConnect
Hey guys,
We have a Fortinet WLAN management controller and a Forticonnect VM. Everything is setup and communicates well with AD. But Authentication works only when we send username as "username@domain.local". This is fine for mobiles because we push it manually via a MDM to connect to the SSID.
But for notebooks we have set it up to use windows logon via GPO, and I can see on the logs that the username comes in as "domain\username" which seem to fail for some reason. Our AD is Windows Server 2012 R2.
One of the fail packets show an MSCHAP error, but I;m guessing its a generic error?
Packet 10 (from 192.168.20.141:47024 id 122) Request: Access-Request User-Name = NEAMIINC\lisa.koh NAS-IP-Address = 192.168.20.141 NAS-Port = 2081 Called-Station-Id = 00:10:f3:48:86:d2:Neami-Corp Calling-Station-Id = 94-65-9C-91-72-D3 Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = CONNECT 802.11a Chargeable-User-Identity = Inner Request: Access-Request FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = NEAMIINC\lisa.koh NAS-IP-Address = 192.168.20.141 NAS-Port = 2081 Called-Station-Id = 00:10:f3:48:86:d2:Neami-Corp Calling-Station-Id = 94-65-9C-91-72-D3 Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = CONNECT 802.11a Chargeable-User-Identity = Inner Reply: Access-Reject MS-CHAP-Error = " E=691 R=1" Reply: Access-Challenge No attributes
Any help would be great.
Thanks
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I managed to get some more info from the radius logs. It seems to be looking for the @. Log below one for computer and user. Hopefully this will give a clearer picture to someone?
rad_recv: Access-Request packet from host 192.168.20.141 port 47024, id=134, length=204 User-Name = "NEAMIINC\\manoj.kumaracheliyan" NAS-IP-Address = 192.168.20.141 NAS-Port = 2068 Called-Station-Id = "00:10:f3:48:86:d2:Neami-Corp" Calling-Station-Id = "14-AB-C5-81-E2-41" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "" EAP-Message = 0x02010022014e45414d49494e435c6d616e6f6a2e6b756d6172616368656c6979616e Message-Authenticator = 0x3bac557c063e0597588737055f410665 Wed May 2 19:26:54 2018 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default Wed May 2 19:26:54 2018 : Info: +group authorize { Wed May 2 19:26:54 2018 : Info: [suffix] No '@' in User-Name = "NEAMIINC\manoj.kumaracheliyan", skipping NULL due to config. Wed May 2 19:26:54 2018 : Info: ++[suffix] = noop Wed May 2 19:26:54 2018 : Info: [IPASS] No '/' in User-Name = "NEAMIINC\manoj.kumaracheliyan", skipping NULL due to config. Wed May 2 19:26:54 2018 : Info: ++[IPASS] = noop Wed May 2 19:26:54 2018 : Info: [ntdomain] Looking up realm "NEAMIINC" for User-Name = "NEAMIINC\manoj.kumaracheliyan" Wed May 2 19:26:54 2018 : Info: [ntdomain] Found realm "DEFAULT" Wed May 2 19:26:54 2018 : Info: [ntdomain] Adding Realm = "DEFAULT" Wed May 2 19:26:54 2018 : Info: [ntdomain] Authentication realm is LOCAL. Wed May 2 19:26:54 2018 : Info: ++[ntdomain] = ok Wed May 2 19:26:54 2018 : Info: ++[chap] = noop Wed May 2 19:26:54 2018 : Info: ++[mschap] = noop Wed May 2 19:26:54 2018 : Info: [eap] EAP packet type response id 1 length 34 Wed May 2 19:26:54 2018 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Wed May 2 19:26:54 2018 : Info: ++[eap] = updated Wed May 2 19:26:54 2018 : Info: [sql] expand: %{User-Name} -> NEAMIINC\\manoj.kumaracheliyan Wed May 2 19:26:54 2018 : Info: [sql] sql_set_user escaped user --> 'NEAMIINC\\manoj.kumaracheliyan' Wed May 2 19:26:54 2018 : Debug: rlm_sql (sql): Reserving sql socket id: 11 Wed May 2 19:26:54 2018 : Info: [sql] expand: SELECT id, UserName, 'Cleartext-Password', password, ':=' FROM guestusers WHERE (LOWER(Username) = LOWER('%{SQL-User-Name}') OR (mac_address = to_macaddr('%{SQL-User-Name}'))) AND status = 2 -> ***** Wed May 2 19:26:54 2018 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Wed May 2 19:26:54 2018 : Debug: rlm_sql_postgresql: query affected rows = 0 , fields = 5 Wed May 2 19:26:54 2018 : Debug: rlm_sql (sql): Released sql socket id: 11 Wed May 2 19:26:54 2018 : Info: [sql] User NEAMIINC\\manoj.kumaracheliyan not found Wed May 2 19:26:54 2018 : Info: ++[sql] = notfound Wed May 2 19:26:54 2018 : Info: ++? if (!control:Proxy-To-Realm || ("%{control:Proxy-To-Realm}" == 'DEFAULT')) Wed May 2 19:26:54 2018 : Info: ? Evaluating !(control:Proxy-To-Realm ) -> TRUE Wed May 2 19:26:54 2018 : Info: ?? Skipping ("%{control:Proxy-To-Realm}" == 'DEFAULT') Wed May 2 19:26:54 2018 : Info: ++? if (!control:Proxy-To-Realm || ("%{control:Proxy-To-Realm}" == 'DEFAULT')) -> TRUE Wed May 2 19:26:54 2018 : Info: ++if (!control:Proxy-To-Realm || ("%{control:Proxy-To-Realm}" == 'DEFAULT')) { Wed May 2 19:26:54 2018 : Info: +++? if (!control:Auth-Type) Wed May 2 19:26:54 2018 : Info: ? Evaluating !(control:Auth-Type) -> FALSE Wed May 2 19:26:54 2018 : Info: +++? if (!control:Auth-Type) -> FALSE Wed May 2 19:26:54 2018 : Info: ++} # if (!control:Proxy-To-Realm || ("%{control:Proxy-To-Realm}" == 'DEFAULT')) = updated Wed May 2 19:26:54 2018 : Info: +} # group authorize = updated Wed May 2 19:26:54 2018 : Info: Found Auth-Type = EAP Wed May 2 19:26:54 2018 : Info: # Executing group from file /etc/raddb/sites-enabled/default Wed May 2 19:26:54 2018 : Info: +group authenticate { Wed May 2 19:26:54 2018 : Info: [eap] EAP Identity Wed May 2 19:26:54 2018 : Info: [eap] processing type tls Wed May 2 19:26:54 2018 : Info: [tls] Initiate Wed May 2 19:26:54 2018 : Info: [tls] Start returned 1 Wed May 2 19:26:54 2018 : Info: ++[eap] = handled Wed May 2 19:26:54 2018 : Info: +} # group authenticate = handled Sending Access-Challenge of id 134 to 192.168.20.141 port 47024 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa339c7d0a33bde610662bde461ee3ce8 Wed May 2 19:26:54 2018 : Info: Finished request 6686. Wed May 2 19:26:54 2018 : Debug: Going to the next request Wed May 2 19:26:54 2018 : Info: Cleaning up request 6571 ID 19 with timestamp +352 Wed May 2 19:26:54 2018 : Info: Cleaning up request 6572 ID 20 with timestamp +352 Wed May 2 19:26:54 2018 : Info: Cleaning up request 6573 ID 21 with timestamp +352 rad_recv: Access-Request packet from host 192.168.20.141 port 47024, id=135, length=322 User-Name = "host/0AFKITQ.NeamiInc.local" NAS-IP-Address = 192.168.20.141 NAS-Port = 2054 Called-Station-Id = "00:10:f3:48:86:d2:Neami-Corp" Calling-Station-Id = "68-5D-43-FD-56-97" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11g" Chargeable-User-Identity = "" EAP-Message = 0x0206008819800000007e16030300461000004241044de92aaab51fcfca0e1d485d09023f8a1f4de822dc8e3f53fd1c297f809f17ef3b7cc36f83887a4a4639381aa7f701d63fde3cc18f6665f24930bc885fe4917a140303000101160303002800000000000000000dff15fb58ae87ced6bdf2610580e4cd0d0284fd7e7a1e9d43e5697016ca9f4f State = 0xd9429d61dd44846534999a0ce8da3ad4 Message-Authenticator = 0x2b9cbba10cd7221d4739bb8d9c649fd1 Wed May 2 19:26:54 2018 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default Wed May 2 19:26:54 2018 : Info: +group authorize { Wed May 2 19:26:54 2018 : Info: [suffix] No '@' in User-Name = "host/0AFKITQ.NeamiInc.local", skipping NULL due to config. Wed May 2 19:26:54 2018 : Info: ++[suffix] = noop Wed May 2 19:26:54 2018 : Info: [IPASS] Looking up realm "host" for User-Name = "host/0AFKITQ.NeamiInc.local" Wed May 2 19:26:54 2018 : Info: [IPASS] Found realm "DEFAULT" Wed May 2 19:26:54 2018 : Info: [IPASS] Adding Realm = "DEFAULT" Wed May 2 19:26:54 2018 : Info: [IPASS] Authentication realm is LOCAL. Wed May 2 19:26:54 2018 : Info: ++[IPASS] = ok Wed May 2 19:26:54 2018 : Info: [ntdomain] Request already proxied. Ignoring. Wed May 2 19:26:54 2018 : Info: ++[ntdomain] = ok Wed May 2 19:26:54 2018 : Info: ++[chap] = noop Wed May 2 19:26:54 2018 : Info: ++[mschap] = noop Wed May 2 19:26:54 2018 : Info: [eap] EAP packet type response id 6 length 136 Wed May 2 19:26:54 2018 : Info: [eap] Continuing tunnel setup. Wed May 2 19:26:54 2018 : Info: ++[eap] = ok Wed May 2 19:26:54 2018 : Info: +} # group authorize = ok Wed May 2 19:26:54 2018 : Info: Found Auth-Type = EAP Wed May 2 19:26:54 2018 : Info: # Executing group from file /etc/raddb/sites-enabled/default Wed May 2 19:26:54 2018 : Info: +group authenticate { Wed May 2 19:26:54 2018 : Info: [eap] Request found, released from the list Wed May 2 19:26:54 2018 : Info: [eap] EAP/peap Wed May 2 19:26:54 2018 : Info: [eap] processing type peap Wed May 2 19:26:54 2018 : Info: [peap] processing EAP-TLS Wed May 2 19:26:54 2018 : Debug: TLS Length 126 Wed May 2 19:26:54 2018 : Info: [peap] Length Included Wed May 2 19:26:54 2018 : Info: [peap] eaptls_verify returned 11 Wed May 2 19:26:54 2018 : Info: [peap] <<< Unknown TLS version [length 0046] Wed May 2 19:26:54 2018 : Info: [peap] TLS_accept: SSLv3 read client key exchange A Wed May 2 19:26:54 2018 : Info: [peap] TLS_accept: SSLv3 read certificate verify A Wed May 2 19:26:54 2018 : Info: [peap] <<< Unknown TLS version [length 0001] Wed May 2 19:26:54 2018 : Info: [peap] <<< Unknown TLS version [length 0010] Wed May 2 19:26:54 2018 : Info: [peap] TLS_accept: SSLv3 read finished A Wed May 2 19:26:54 2018 : Info: [peap] >>> Unknown TLS version [length 0001] Wed May 2 19:26:54 2018 : Info: [peap] TLS_accept: SSLv3 write change cipher spec A Wed May 2 19:26:54 2018 : Info: [peap] >>> Unknown TLS version [length 0010] Wed May 2 19:26:54 2018 : Info: [peap] TLS_accept: SSLv3 write finished A Wed May 2 19:26:54 2018 : Info: [peap] TLS_accept: SSLv3 flush data Wed May 2 19:26:54 2018 : Info: [peap] (other): SSL negotiation finished successfully Wed May 2 19:26:54 2018 : Debug: SSL Connection Established Wed May 2 19:26:54 2018 : Info: [peap] eaptls_process returned 13 Wed May 2 19:26:54 2018 : Info: [peap] EAPTLS_HANDLED Wed May 2 19:26:54 2018 : Info: ++[eap] = handled Wed May 2 19:26:54 2018 : Info: +} # group authenticate = handled Sending Access-Challenge of id 135 to 192.168.20.141 port 47024 EAP-Message = 0x0107003919001403030001011603030028d38e16aa33863612a0c035ab08f7aafe9bbb643faefff0cd950ca4c961318e22ac8a96efab2ade17 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd9429d61dc45846534999a0ce8da3ad4 Wed May 2 19:26:54 2018 : Info: Finished request 6687. Wed May 2 19:26:54 2018 : Debug: Going to the next request
Related Posts
- Web Protection Profile - Mobile Application... 338 Views
- Fortinet admin accounts can't contain "."... 715 Views
- convert certicate from .P12 to .PEM 818 Views
- IKEv2 digital signature with rsa-pss-sha2_256 fails 2369 Views
- Fortigate AD fabric connector "down" 2504 Views
Labels
-
FortiGate
6,773 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
581 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
347 -
FortiAP
347 -
FortiClient EMS
274 -
FortiMail
265 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
162 -
6.4
128 -
FortiNAC
113 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
SSL-VPN
70 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiDNS
34 -
SD-WAN
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
23 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
FortiMonitor
14 -
BGP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
LDAP
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.