Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TuncayBAS
Contributor II

EAP-TLS for Remote Users

Hi,

 

It is trying to do certified EAP-TLS for remote users on ldap.

I created a Fortiauthenticator local ca as CA.
While there is no problem with local users, it gives an error with remote ldap users.

On the Create New User Certificate screen, I used the remote user name as Name (CN).

I imported the CA and user certificate to the PC, but it did not work.

The same process works with local users.

What could be the reason?

 

 

 

 

2024-09-02T12:08:04.633327+03:00 fac radiusd[16808]: (144) authorize {
2024-09-02T12:08:04.633338+03:00 fac radiusd[16808]: (144) [preprocess] = ok
2024-09-02T12:08:04.633345+03:00 fac radiusd[16808]: (144) [chap] = noop
2024-09-02T12:08:04.633350+03:00 fac radiusd[16808]: (144) [mschap] = noop
2024-09-02T12:08:04.633356+03:00 fac radiusd[16808]: (144) [digest] = noop
2024-09-02T12:08:04.633363+03:00 fac radiusd[16808]: (144) eap: Peer sent EAP Response (code 2) ID 204 length 17
2024-09-02T12:08:04.633368+03:00 fac radiusd[16808]: (144) eap: No EAP Start, assuming it's an on-going EAP conversation
2024-09-02T12:08:04.633376+03:00 fac radiusd[16808]: (144) [eap] = updated
2024-09-02T12:08:04.633382+03:00 fac radiusd[16808]: (144) [expiration] = noop
2024-09-02T12:08:04.633387+03:00 fac radiusd[16808]: (144) [logintime] = noop
2024-09-02T12:08:04.633410+03:00 fac radiusd[16808]: (144) facauth: facauth: recv Access-Request from 192.168.100.61 port 1314, id=123, length=311
2024-09-02T12:08:04.633415+03:00 fac radiusd[16808]: User-Name = "user.01"
2024-09-02T12:08:04.633420+03:00 fac radiusd[16808]: NAS-IP-Address = 0.0.0.0
2024-09-02T12:08:04.633425+03:00 fac radiusd[16808]: NAS-Identifier = "172.16.17.12/5246-eap.tls"
2024-09-02T12:08:04.633430+03:00 fac radiusd[16808]: Called-Station-Id = "04-D5-90-A5-BE-60:eap.tls"
2024-09-02T12:08:04.633434+03:00 fac radiusd[16808]: NAS-Port-Type = Wireless-802.11
2024-09-02T12:08:04.633440+03:00 fac radiusd[16808]: Service-Type = Framed-User
2024-09-02T12:08:04.633444+03:00 fac radiusd[16808]: NAS-Port = 1
2024-09-02T12:08:04.633448+03:00 fac radiusd[16808]: Fortinet-SSID = "eap.tls"
2024-09-02T12:08:04.633453+03:00 fac radiusd[16808]: Fortinet-AP-Name = "FP221E551XXXXXXXX"
2024-09-02T12:08:04.633457+03:00 fac radiusd[16808]: Calling-Station-Id = "34-02-86-01-CC-41"
2024-09-02T12:08:04.633462+03:00 fac radiusd[16808]: Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11N_2G"
2024-09-02T12:08:04.633467+03:00 fac radiusd[16808]: Acct-Session-Id = "66B4C822000001F4"
2024-09-02T12:08:04.633472+03:00 fac radiusd[16808]: Acct-Multi-Session-Id = "B4BC8EAFDC86E8B0"
2024-09-02T12:08:04.633476+03:00 fac radiusd[16808]: WLAN-Pairwise-Cipher = 1027076
2024-09-02T12:08:04.633481+03:00 fac radiusd[16808]: WLAN-Group-Cipher = 1027076
2024-09-02T12:08:04.633485+03:00 fac radiusd[16808]: WLAN-AKM-Suite = 1027073
2024-09-02T12:08:04.633490+03:00 fac radiusd[16808]: Framed-MTU = 1400
2024-09-02T12:08:04.633494+03:00 fac radiusd[16808]: EAP-Message = 0x02cc00110d800000000715030300020230
2024-09-02T12:08:04.633499+03:00 fac radiusd[16808]: State = 0x26acbcf02560b12454c568aaaa751fd4
2024-09-02T12:08:04.633503+03:00 fac radiusd[16808]: Message-Authenticator = 0x92a72f9721cd8520a6239d5a949ae32b
2024-09-02T12:08:04.633509+03:00 fac radiusd[16808]: Event-Timestamp = "Sep 2 2024 12:08:04 EAT"
2024-09-02T12:08:04.633515+03:00 fac radiusd[16808]: EAP-Type = TLS
2024-09-02T12:08:04.633519+03:00 fac radiusd[16808]: (144) facauth: ===>NAS IP:192.168.100.61
2024-09-02T12:08:04.633525+03:00 fac radiusd[16808]: (144) facauth: ===>Username:user.01
2024-09-02T12:08:04.633532+03:00 fac radiusd[16808]: (144) facauth: ===>Timestamp:1725268084.632969, age:0ms
2024-09-02T12:08:04.633549+03:00 fac radiusd[16808]: (144) facauth: Comparing client IP 192.168.100.61 with authclient education.vlan.clients (192.168.77.0/24, 256 IPs)
2024-09-02T12:08:04.633559+03:00 fac radiusd[16808]: (144) facauth: Comparing client IP 192.168.100.61 with authclient rzk.wifi (192.168.66.0/24, 256 IPs)
2024-09-02T12:08:04.633564+03:00 fac radiusd[16808]: (144) facauth: Comparing client IP 192.168.100.61 with authclient server.vlan.clients (192.168.200.0/24, 256 IPs)
2024-09-02T12:08:04.633569+03:00 fac radiusd[16808]: (144) facauth: Comparing client IP 192.168.100.61 with authclient mgmt.vlan.clients (192.168.100.0/24, 256 IPs)
2024-09-02T12:08:04.633574+03:00 fac radiusd[16808]: (144) facauth: ------> matched!
2024-09-02T12:08:04.633579+03:00 fac radiusd[16808]: (144) facauth: Found authclient from preloaded authclients list for 192.168.100.61: mgmt.vlan.clients (192.168.100.0/24)
2024-09-02T12:08:04.633584+03:00 fac radiusd[16808]: (144) facauth: authclient_id:9 auth_type:'eap-tls'
2024-09-02T12:08:04.634314+03:00 fac radiusd[16808]: (144) facauth: Checking 192.168.100.0/24 (eap.tls.policy): vendor 12356, attr 7 --> "eap.tls" (allow substring match)
2024-09-02T12:08:04.634330+03:00 fac radiusd[16808]: (144) facauth: Found vendor 12356, attr 7 --> "eap.tls"
2024-09-02T12:08:04.634335+03:00 fac radiusd[16808]: (144) facauth: Found authpolicy 'eap.tls.policy' for client '192.168.100.0/24'
2024-09-02T12:08:04.634346+03:00 fac radiusd[16808]: (144) facauth: Client type: external (subtype: radius)
2024-09-02T12:08:04.634353+03:00 fac radiusd[16808]: (144) facauth: Input raw_username: user.01 Realm: (null) username: user.01
2024-09-02T12:08:04.634357+03:00 fac radiusd[16808]: (144) facauth: Searching default realm as well
2024-09-02T12:08:04.634363+03:00 fac radiusd[16808]: (144) facauth: Realm not specified, default goes to remote LDAP, id: 1
2024-09-02T12:08:04.634368+03:00 fac radiusd[16808]: (144) facauth: FAC local user overrides, try searching local user first
2024-09-02T12:08:04.634751+03:00 fac radiusd[16808]: (144) facauth: Cannot find local user user.01
2024-09-02T12:08:04.634764+03:00 fac radiusd[16808]: (144) facauth: Local user not found, try searching remote user
2024-09-02T12:08:04.634771+03:00 fac radiusd[16808]: (144) facauth: Loaded remote ldap (regular bind) 192.168.77.100:636
2024-09-02T12:08:04.635074+03:00 fac radiusd[16808]: (144) facauth: skip ldap user search
2024-09-02T12:08:04.635087+03:00 fac radiusd[16808]: (144) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2024-09-02T12:08:04.635093+03:00 fac radiusd[16808]: (144) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject]
2024-09-02T12:08:04.635098+03:00 fac radiusd[16808]: (144) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: none]
2024-09-02T12:08:04.635110+03:00 fac radiusd[16808]: (144) [facauth] = noop
2024-09-02T12:08:04.635117+03:00 fac radiusd[16808]: (144) [pap] = noop
2024-09-02T12:08:04.635122+03:00 fac radiusd[16808]: (144) } # authorize = updated
2024-09-02T12:08:04.635128+03:00 fac radiusd[16808]: (144) Found Auth-Type = eap
2024-09-02T12:08:04.635139+03:00 fac radiusd[16808]: (144) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-09-02T12:08:04.635143+03:00 fac radiusd[16808]: (144) authenticate {
2024-09-02T12:08:04.635152+03:00 fac radiusd[16808]: (144) eap: Expiring EAP session with state 0x26acbcf02560b124
2024-09-02T12:08:04.635158+03:00 fac radiusd[16808]: (144) eap: Finished EAP session with state 0x26acbcf02560b124
2024-09-02T12:08:04.635164+03:00 fac radiusd[16808]: (144) eap: Previous EAP request found for state 0x26acbcf02560b124, released from the list
2024-09-02T12:08:04.635172+03:00 fac radiusd[16808]: (144) eap: Peer sent packet with method EAP TLS (13)
2024-09-02T12:08:04.635177+03:00 fac radiusd[16808]: (144) eap: Calling submodule eap_tls to process data
2024-09-02T12:08:04.635184+03:00 fac radiusd[16808]: (144) eap_tls: (TLS) EAP Peer says that the final record size will be 7 bytes
2024-09-02T12:08:04.635188+03:00 fac radiusd[16808]: (144) eap_tls: (TLS) EAP Got all data (7 bytes)
2024-09-02T12:08:04.635204+03:00 fac radiusd[16808]: (144) eap_tls: (TLS) recv TLS 1.2 Alert, fatal unknown_ca
2024-09-02T12:08:04.635214+03:00 fac radiusd[16808]: (144) eap_tls: (TLS) The client is informing us that it does not recognize the CA used to issue the server certificate. Please update the client so that it knows about the CA.
2024-09-02T12:08:04.635220+03:00 fac radiusd[16808]: (144) eap_tls: ERROR: (TLS) Alert read:fatal:unknown CA
2024-09-02T12:08:04.635231+03:00 fac radiusd[16808]: (144) eap_tls: (TLS) Server : Need to read more data: error
2024-09-02T12:08:04.635242+03:00 fac radiusd[16808]: (144) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
2024-09-02T12:08:04.635254+03:00 fac radiusd[16808]: (144) eap_tls: (TLS) In Handshake Phase
2024-09-02T12:08:04.635258+03:00 fac radiusd[16808]: (144) eap_tls: (TLS) Application data.
2024-09-02T12:08:04.635263+03:00 fac radiusd[16808]: (144) eap_tls: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
2024-09-02T12:08:04.635269+03:00 fac radiusd[16808]: (144) eap_tls: ERROR: [eaptls process] = fail
2024-09-02T12:08:04.635277+03:00 fac radiusd[16808]: (144) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed
2024-09-02T12:08:04.635285+03:00 fac radiusd[16808]: (144) eap: Sending EAP Failure (code 4) ID 204 length 4
2024-09-02T12:08:04.635308+03:00 fac radiusd[16808]: (144) eap: Failed in EAP select
2024-09-02T12:08:04.635318+03:00 fac radiusd[16808]: (144) [eap] = invalid
2024-09-02T12:08:04.635323+03:00 fac radiusd[16808]: (144) } # authenticate = invalid
2024-09-02T12:08:04.635328+03:00 fac radiusd[16808]: (144) Failed to authenticate the user

Tuncay BAS
RZK Muhendislik Turkey
FCA,FCP,FCF,FCSS
Tuncay BASRZK Muhendislik TurkeyFCA,FCP,FCF,FCSS
1 REPLY 1
Therejorty
New Contributor II

I'm not entirely sure what's causing this error either. From what I remember, the problem might be related to the LDAP configuration or how the remote user's certificate is being handled.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors