Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- FAC with Windows Root CA - Windows Clients take se...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FAC with Windows Root CA - Windows Clients take several attempts to present certificate..
I'm running a FortiAuthenticator RADIUS (v_6.6.2) with Trusted CA policy, with the trusted CA being a Windows Server. We have a GPO setup to use either a machine or user cert and confirmed all the settings are consistent with the wireless SSID's auth settings. Clients are taking 60-100secs at times to authenticate.
When viewing the PCAP, the communication is seamless between the FG and FAC, but the client takes several Access-Challenges to finally present its certificate https://19216801.onl/ .
Has anyone else experienced this?
Labels:
- Labels:
-
FortiGate
898
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Vincent,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Anthony-Fortinet Community Team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same issue regardless of FortiAuth, FortiOS, or AP version. Communication is seamless between the windows client and Fortiauth, but on frequent occasions, the client takes several attempts, sometimes 2 or more minutes to finally present the certificate. Windows 11 clients are experience it more than Win10.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Better to open a new topic. For this issue, you'd better check in a packet capture what really is delayed. FortiAuthenticator responding to the client, client responding to the FortiAuthenticator. That'll determine where to look, and where not.
- Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Vincent,
it will be difficult to say more with the given detail.
Network packets seem fine and fast. You experience a delay, so see where the delay occurs.
Important is what the authentication is and then continue with when the delay happens in that method.
Since you have Wi-Fi and Access-Challenges, you would probably refer to some EAP method. As such, you have to find out which. The PCAP will tell you (the EAP type is written in the packet details).
In EAP you'll see certificates sent from FortiAuthenticator to client in the challenges and in EAP-TLS, the client will also return certificate(s) in the Access-Requests.
The delay will then sum-up from what happens in between the packets, such as the client responding slower with Access-Request to the Challenge, or the other way round. If the FortiAuthenticator is slow to respond to the Access-Requests, then check the RADIUS debug logs at https://fac-ip/debug. On the debug menu, enable the details debug mode and reproduce such slow communication alongside with a packet capture. The PCAP will show when the delay happens, which makes it easier to find that in the text-heavy debug log. Check to identify the packets with identifying criterion. The "State" attribute is quite good to identify a Access-Challenge and its single response, Access-Request.
The Access-Challenge as response to the Access-Request will share the same ID. When you found the two packets, see what happens in between on FortiAuthenticator.
Giving a few examples what might go wrong:
- FAC is doing an LDAP lookup for the user with a given password (EAP-PEAP is likely for that) and the LDAP server responds very slow.
- FAC could be generally overloaded, CPU processing is delayed if FortiAuthenticator is busy with other things or is running below specifications.
- FAC can do some certificate checks on EAP-TLS, these might be slow, more boiling down to the point before.
- There could be too many things to go on; the general log on FortiAuthenticator may give hints on that. Download them from the general log section (not the debug) and see if there is more stuff going on than you'd expect.
Hope this helps for a start.
Best regards,
Markus
- Markus
Labels
-
FortiGate
10,526 -
FortiClient
2,139 -
FortiManager
886 -
5.2
687 -
FortiAnalyzer
675 -
5.4
638 -
FortiSwitch
581 -
FortiAP
558 -
FortiClient EMS
552 -
6.0
416 -
IPsec
413 -
SSL-VPN
373 -
FortiMail
371 -
5.6
362 -
FortiNAC
278 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
169 -
FortiGuard
159 -
5.0
152 -
Firewall policy
142 -
6.4
128 -
FortiGate-VM
127 -
FortiCloud Products
116 -
FortiSIEM
112 -
FortiGateCloud
112 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
73 -
SAML
71 -
DNS
71 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
fortilink
54 -
FortiSandbox
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
SNMP
25 -
SSID
25 -
Static route
25 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
Users
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2559 | |
| 1356 | |
| 795 | |
| 650 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.