Hello,
Im struggling with FortiAuthenticator and MAC bypass, cant make it work, I did read documentation, but havent found solution. My scenerio is very simple, (PC)->[TPlink_SW]->[FAC]. All are in the same network - its all for tests only.
EAP-TLS using certificate is working as expected. Endpoints has certs deployed. But There devices that dodnt support RADIUS(802.1x). Do you have any clue where can I search for solution? Im starting thinking that crapy tplink might be the problem. That Tplink dont understand strong auths or else.
Error Log:
2024-02-14T22:31:05.610504+01:00 FortiAuthenticator radiusd[26760]: (243) eap: Comparing client IP 172.16.1.240 with authclient 172.16.1.239 (172.16.1.239, 1 IPs)
2024-02-14T22:31:05.610510+01:00 FortiAuthenticator radiusd[26760]: (243) eap: Comparing client IP 172.16.1.240 with authclient 172.16.1.17 (172.16.1.17, 1 IPs)
2024-02-14T22:31:05.610515+01:00 FortiAuthenticator radiusd[26760]: (243) eap: Found authclient from preloaded authclients list for 172.16.1.240: 172.16.1.240 (172.16.1.240)
2024-02-14T22:31:05.610520+01:00 FortiAuthenticator radiusd[26760]: (243) eap: authclient_id:10 auth_type:'password'
2024-02-14T22:31:05.611030+01:00 FortiAuthenticator radiusd[26760]: (243) eap: WARNING: No authpolicy for authclient 10 with authtype password
2024-02-14T22:31:05.611037+01:00 FortiAuthenticator radiusd[26760]: (243) eap: ERROR: No mutually acceptable types found
2024-02-14T22:31:05.611050+01:00 FortiAuthenticator radiusd[26760]: (243) eap: Sending EAP Failure (code 4) ID 3 length 4
2024-02-14T22:31:05.611068+01:00 FortiAuthenticator radiusd[26760]: (243) eap: Failed in EAP select
2024-02-14T22:31:05.611074+01:00 FortiAuthenticator radiusd[26760]: (243) [eap] = invalid
2024-02-14T22:31:05.611079+01:00 FortiAuthenticator radiusd[26760]: (243) } # authenticate = invalid
2024-02-14T22:31:05.611085+01:00 FortiAuthenticator radiusd[26760]: (243) Failed to authenticate the user
2024-02-14T22:31:05.611094+01:00 FortiAuthenticator radiusd[26760]: (243) Using Post-Auth-Type Reject
2024-02-14T22:31:05.611101+01:00 FortiAuthenticator radiusd[26760]: (243) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-02-14T22:31:05.611106+01:00 FortiAuthenticator radiusd[26760]: (243) Post-Auth-Type REJECT {
2024-02-14T22:31:05.611139+01:00 FortiAuthenticator radiusd[26760]: (243) facauth: Updated auth log '501fc65bc05f': 802.1x authentication failed
2024-02-14T22:31:05.611146+01:00 FortiAuthenticator radiusd[26760]: (243) [facauth] = reject
2024-02-14T22:31:05.611151+01:00 FortiAuthenticator radiusd[26760]: (243) } # Post-Auth-Type REJECT = reject
2024-02-14T22:31:05.611159+01:00 FortiAuthenticator radiusd[26760]: (243) Delaying response for 1.000000 seconds
2024-02-14T22:31:05.611171+01:00 FortiAuthenticator radiusd[26760]: Thread 3 waiting to be assigned a request
2024-02-14T22:31:05.790200+01:00 FortiAuthenticator radiusd[26760]: (238) Cleaning up request packet ID 96 with timestamp +3116
2024-02-14T22:31:05.810172+01:00 FortiAuthenticator radiusd[26760]: (239) Cleaning up request packet ID 97 with timestamp +3116
2024-02-14T22:31:05.810183+01:00 FortiAuthenticator radiusd[26760]: Waking up in 0.4 seconds.
2024-02-14T22:31:06.278169+01:00 FortiAuthenticator radiusd[26760]: Waking up in 0.3 seconds.
2024-02-14T22:31:06.614204+01:00 FortiAuthenticator radiusd[26760]: (243) Sending delayed response
2024-02-14T22:31:06.614214+01:00 FortiAuthenticator radiusd[26760]: (243) Sent Access-Reject Id 101 from 172.16.1.250:1812 to 172.16.1.240:58403 length 44
2024-02-14T22:31:06.614221+01:00 FortiAuthenticator radiusd[26760]: (243) EAP-Message = 0x04030004
2024-02-14T22:31:06.614226+01:00 FortiAuthenticator radiusd[26760]: (243) Message-Authenticator = 0x00000000000000000000000000000000
2024-02-14T22:31:06.614247+01:00 FortiAuthenticator radiusd[26760]: Waking up in 18.5 seconds.
2024-02-14T22:31:25.218201+01:00 FortiAuthenticator radiusd[26760]: (240) Cleaning up request packet ID 98 with timestamp +3136
2024-02-14T22:31:25.218212+01:00 FortiAuthenticator radiusd[26760]: (241) Cleaning up request packet ID 99 with timestamp +3136
2024-02-14T22:31:25.218218+01:00 FortiAuthenticator radiusd[26760]: Waking up in 10.3 seconds.
2024-02-14T22:31:35.618205+01:00 FortiAuthenticator radiusd[26760]: (242) Cleaning up request packet ID 100 with timestamp +3146
2024-02-14T22:31:35.618215+01:00 FortiAuthenticator radiusd[26760]: (243) Cleaning up request packet ID 101 with timestamp +3146
2024-02-14T22:31:35.618221+01:00 FortiAuthenticator radiusd[26760]: Ready to process requests
Plain PAP should work for MAB with FortiAuthenticator.
Yes, it does work. But if I change to PAP the EAP-TLS dont work at all on whole SW - tplink xD i cant set auth type per int ;/
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1767 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.