FortiAuthenticator ERROR: No mutually acceptable types found

romank · ‎02-14-2024

Hello,

Im struggling with FortiAuthenticator and MAC bypass, cant make it work, I did read documentation, but havent found solution. My scenerio is very simple, (PC)->[TPlink_SW]->[FAC]. All are in the same network - its all for tests only.

EAP-TLS using certificate is working as expected. Endpoints has certs deployed. But There devices that dodnt support RADIUS(802.1x). Do you have any clue where can I search for solution? Im starting thinking that crapy tplink might be the problem. That Tplink dont understand strong auths or else.

Error Log:

2024-02-14T22:31:05.610504+01:00 FortiAuthenticator radiusd[26760]: (243) eap: Comparing client IP 172.16.1.240 with authclient 172.16.1.239 (172.16.1.239, 1 IPs)
2024-02-14T22:31:05.610510+01:00 FortiAuthenticator radiusd[26760]: (243) eap: Comparing client IP 172.16.1.240 with authclient 172.16.1.17 (172.16.1.17, 1 IPs)
2024-02-14T22:31:05.610515+01:00 FortiAuthenticator radiusd[26760]: (243) eap: Found authclient from preloaded authclients list for 172.16.1.240: 172.16.1.240 (172.16.1.240)
2024-02-14T22:31:05.610520+01:00 FortiAuthenticator radiusd[26760]: (243) eap: authclient_id:10 auth_type:'password'
2024-02-14T22:31:05.611030+01:00 FortiAuthenticator radiusd[26760]: (243) eap: WARNING: No authpolicy for authclient 10 with authtype password
2024-02-14T22:31:05.611037+01:00 FortiAuthenticator radiusd[26760]: (243) eap: ERROR: No mutually acceptable types found
2024-02-14T22:31:05.611050+01:00 FortiAuthenticator radiusd[26760]: (243) eap: Sending EAP Failure (code 4) ID 3 length 4
2024-02-14T22:31:05.611068+01:00 FortiAuthenticator radiusd[26760]: (243) eap: Failed in EAP select
2024-02-14T22:31:05.611074+01:00 FortiAuthenticator radiusd[26760]: (243) [eap] = invalid
2024-02-14T22:31:05.611079+01:00 FortiAuthenticator radiusd[26760]: (243) } # authenticate = invalid
2024-02-14T22:31:05.611085+01:00 FortiAuthenticator radiusd[26760]: (243) Failed to authenticate the user
2024-02-14T22:31:05.611094+01:00 FortiAuthenticator radiusd[26760]: (243) Using Post-Auth-Type Reject
2024-02-14T22:31:05.611101+01:00 FortiAuthenticator radiusd[26760]: (243) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-02-14T22:31:05.611106+01:00 FortiAuthenticator radiusd[26760]: (243) Post-Auth-Type REJECT {
2024-02-14T22:31:05.611139+01:00 FortiAuthenticator radiusd[26760]: (243) facauth: Updated auth log '501fc65bc05f': 802.1x authentication failed
2024-02-14T22:31:05.611146+01:00 FortiAuthenticator radiusd[26760]: (243) [facauth] = reject
2024-02-14T22:31:05.611151+01:00 FortiAuthenticator radiusd[26760]: (243) } # Post-Auth-Type REJECT = reject
2024-02-14T22:31:05.611159+01:00 FortiAuthenticator radiusd[26760]: (243) Delaying response for 1.000000 seconds
2024-02-14T22:31:05.611171+01:00 FortiAuthenticator radiusd[26760]: Thread 3 waiting to be assigned a request
2024-02-14T22:31:05.790200+01:00 FortiAuthenticator radiusd[26760]: (238) Cleaning up request packet ID 96 with timestamp +3116
2024-02-14T22:31:05.810172+01:00 FortiAuthenticator radiusd[26760]: (239) Cleaning up request packet ID 97 with timestamp +3116
2024-02-14T22:31:05.810183+01:00 FortiAuthenticator radiusd[26760]: Waking up in 0.4 seconds.
2024-02-14T22:31:06.278169+01:00 FortiAuthenticator radiusd[26760]: Waking up in 0.3 seconds.
2024-02-14T22:31:06.614204+01:00 FortiAuthenticator radiusd[26760]: (243) Sending delayed response
2024-02-14T22:31:06.614214+01:00 FortiAuthenticator radiusd[26760]: (243) Sent Access-Reject Id 101 from 172.16.1.250:1812 to 172.16.1.240:58403 length 44
2024-02-14T22:31:06.614221+01:00 FortiAuthenticator radiusd[26760]: (243) EAP-Message = 0x04030004
2024-02-14T22:31:06.614226+01:00 FortiAuthenticator radiusd[26760]: (243) Message-Authenticator = 0x00000000000000000000000000000000
2024-02-14T22:31:06.614247+01:00 FortiAuthenticator radiusd[26760]: Waking up in 18.5 seconds.
2024-02-14T22:31:25.218201+01:00 FortiAuthenticator radiusd[26760]: (240) Cleaning up request packet ID 98 with timestamp +3136
2024-02-14T22:31:25.218212+01:00 FortiAuthenticator radiusd[26760]: (241) Cleaning up request packet ID 99 with timestamp +3136
2024-02-14T22:31:25.218218+01:00 FortiAuthenticator radiusd[26760]: Waking up in 10.3 seconds.
2024-02-14T22:31:35.618205+01:00 FortiAuthenticator radiusd[26760]: (242) Cleaning up request packet ID 100 with timestamp +3146
2024-02-14T22:31:35.618215+01:00 FortiAuthenticator radiusd[26760]: (243) Cleaning up request packet ID 101 with timestamp +3146
2024-02-14T22:31:35.618221+01:00 FortiAuthenticator radiusd[26760]: Ready to process requests

rkr

ebilcari · ‎02-15-2024

Have you created separate RADIUS policies for EAP-TLS and MAB and are the MAC authentication request hitting the right policy?

Regarding the TP link configuration keep in mind that there is also a MAC authentication method over EAP (EAP-MD5), make sure it uses the standard not encapsulated method.

You can run a packet capture to get more info from FAC CLI:
> execute tcpdump -i any port 1812

and download the capture from GUI: https://<fac>/debug/pcap-dump/

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

romank · ‎02-15-2024

Good pooint to check tcpdump - will do that. Regarding SW - I can set only PAP or EAP. I do have policy for MAB of FAC, Sw ports are also configured to use "MAC Based"

rkr

romank · ‎02-15-2024

So actually nothing explicitly displayed here ;)

17:23:34.206471 IP 172.16.1.240.58403 > 172.16.1.250.radius: RADIUS, Access-Requ est (1), id: 0x69 length: 128 17:23:34.207627 IP 172.16.1.250.radius > 172.16.1.240.58403: RADIUS, Access-Chal lenge (11), id: 0x69 length: 64 17:23:34.211661 IP 172.16.1.240.58403 > 172.16.1.250.radius: RADIUS, Access-Requ est (1), id: 0x6a length: 135 17:23:35.214216 IP 172.16.1.250.radius > 172.16.1.240.58403: RADIUS, Access-Reje ct (3), id: 0x6a length: 44 17:24:00.585100 IP 172.16.1.240.58403 > 172.16.1.250.radius: RADIUS, Access-Requ est (1), id: 0x6b length: 128 17:24:00.586196 IP 172.16.1.250.radius > 172.16.1.240.58403: RADIUS, Access-Chal lenge (11), id: 0x6b length: 64 17:24:00.590620 IP 172.16.1.240.58403 > 172.16.1.250.radius: RADIUS, Access-Requ est (1), id: 0x6c length: 135 17:24:01.594233 IP 172.16.1.250.radius > 172.16.1.240.58403: RADIUS, Access-Reje ct (3), id: 0x6c length: 44 17:24:04.326067 IP 172.16.1.240.58403 > 172.16.1.250.radius: RADIUS, Access-Requ est (1), id: 0x6d length: 128 17:24:04.327252 IP 172.16.1.250.radius > 172.16.1.240.58403: RADIUS, Access-Chal lenge (11), id: 0x6d length: 64 17:24:04.331071 IP 172.16.1.240.58403 > 172.16.1.250.radius: RADIUS, Access-Requ est (1), id: 0x6e length: 135 17:24:05.334231 IP 172.16.1.250.radius > 172.16.1.240.58403: RADIUS, Access-Reje ct (3), id: 0x6e length: 44 17:24:34.256675 IP 172.16.1.240.58403 > 172.16.1.250.radius: RADIUS, Access-Requ est (1), id: 0x6f length: 128 17:24:34.257754 IP 172.16.1.250.radius > 172.16.1.240.58403: RADIUS, Access-Chal lenge (11), id: 0x6f length: 64 17:24:34.261545 IP 172.16.1.240.58403 > 172.16.1.250.radius: RADIUS, Access-Requ est (1), id: 0x70 length: 135 17:24:35.266251 IP 172.16.1.250.radius > 172.16.1.240.58403: RADIUS, Access-Reje ct (3), id: 0x70 length: 44 17:25:34.193607 IP 172.16.1.240.58403 > 172.16.1.250.radius: RADIUS, Access-Request (1), id: 0x71 length: 128 17:25:34.194649 IP 172.16.1.250.radius > 172.16.1.240.58403: RADIUS, Access-Challenge (11), id: 0x71 length: 64 17:25:34.198556 IP 172.16.1.240.58403 > 172.16.1.250.radius: RADIUS, Access-Request (1), id: 0x72 length: 135 17:25:35.202219 IP 172.16.1.250.radius > 172.16.1.240.58403: RADIUS, Access-Reject (3), id: 0x72 length: 44 17:26:00.583626 IP 172.16.1.240.58403 > 172.16.1.250.radius: RADIUS, Access-Request (1), id: 0x73 length: 128 17:26:00.584668 IP 172.16.1.250.radius > 172.16.1.240.58403: RADIUS, Access-Challenge (11), id: 0x73 length: 64 17:26:00.592660 IP 172.16.1.240.58403 > 172.16.1.250.radius: RADIUS, Access-Request (1), id: 0x74 length: 135 17:26:01.598215 IP 172.16.1.250.radius > 172.16.1.240.58403: RADIUS, Access-Reject (3), id: 0x74 length: 44

rkr

romank · ‎02-15-2024

Here you have how policies look like and MAC for the device.

From given logs I cant see that its catching into my first policy.

Did wireshark and I can notice that SW is trying to do MD5 challangeSW Settings

rkr

ebilcari · ‎02-16-2024

So it looks like the switch is doing MAC authentication over EAP tunnel. The simplest way is to change the configuration of the switch to do plain MAC authentication and not over EAP. Since the username and password is the MAC address that is already visible there is no added security in this case.

The second method could be using the filters in FAC RADIUS policies to distinguish between EAP-TLS and EAP-MD5

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

pminarik · ‎02-16-2024

Just to clarify: The EAP method offers do not happen in the very first Access-Request message, thus policy-matching based on EAP-Message content will not work if its purpose is to match an EAP-MD5 request.

[ corrections always welcome ]

ebilcari · ‎02-16-2024

Also I searched through the documentations and didn't find any hints that FAC support MAC authentication over EAP. I guess that the MAB authentication rule will not match if the RADIUS requests are coming as EAP.

The only way would be changing the configuration on the switch.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

romank · ‎02-19-2024

I'll test potential solution from given screenshot.

rkr

romank · ‎02-19-2024

Oh Thx, I'll take a look at it. May I ask you what exactly should I put into EAP-MSG? You mean type of auth request? or just EAP-MD5?

TPlink(unfortunately) is not capable to choose which protocol could be used for MAB. I can use PAP or EAP - There is no posibility to set it per port. On Cisco - yes, but as we know, its different league.

rkr