Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
romank
New Contributor III

Created on ‎02-14-2024 01:39 PM

FortiAuthenticator ERROR: No mutually acceptable types found

Hello,

 

Im struggling with FortiAuthenticator and MAC bypass, cant make it work, I did read documentation, but havent found solution. My scenerio is very simple, (PC)->[TPlink_SW]->[FAC]. All are in the same network - its all for tests only.

EAP-TLS using certificate is working as expected. Endpoints has certs deployed. But There devices that dodnt support RADIUS(802.1x). Do you have any clue where can I search for solution? Im starting thinking that crapy tplink might be the problem. That Tplink dont understand strong auths or else.

Error Log:

 

2024-02-14T22:31:05.610504+01:00 FortiAuthenticator radiusd[26760]: (243) eap: Comparing client IP 172.16.1.240 with authclient 172.16.1.239 (172.16.1.239, 1 IPs)
2024-02-14T22:31:05.610510+01:00 FortiAuthenticator radiusd[26760]: (243) eap: Comparing client IP 172.16.1.240 with authclient 172.16.1.17 (172.16.1.17, 1 IPs)
2024-02-14T22:31:05.610515+01:00 FortiAuthenticator radiusd[26760]: (243) eap: Found authclient from preloaded authclients list for 172.16.1.240: 172.16.1.240 (172.16.1.240)
2024-02-14T22:31:05.610520+01:00 FortiAuthenticator radiusd[26760]: (243) eap: authclient_id:10 auth_type:'password'
2024-02-14T22:31:05.611030+01:00 FortiAuthenticator radiusd[26760]: (243) eap: WARNING: No authpolicy for authclient 10 with authtype password
2024-02-14T22:31:05.611037+01:00 FortiAuthenticator radiusd[26760]: (243) eap: ERROR: No mutually acceptable types found
2024-02-14T22:31:05.611050+01:00 FortiAuthenticator radiusd[26760]: (243) eap: Sending EAP Failure (code 4) ID 3 length 4
2024-02-14T22:31:05.611068+01:00 FortiAuthenticator radiusd[26760]: (243) eap: Failed in EAP select
2024-02-14T22:31:05.611074+01:00 FortiAuthenticator radiusd[26760]: (243) [eap] = invalid
2024-02-14T22:31:05.611079+01:00 FortiAuthenticator radiusd[26760]: (243) } # authenticate = invalid
2024-02-14T22:31:05.611085+01:00 FortiAuthenticator radiusd[26760]: (243) Failed to authenticate the user
2024-02-14T22:31:05.611094+01:00 FortiAuthenticator radiusd[26760]: (243) Using Post-Auth-Type Reject
2024-02-14T22:31:05.611101+01:00 FortiAuthenticator radiusd[26760]: (243) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-02-14T22:31:05.611106+01:00 FortiAuthenticator radiusd[26760]: (243) Post-Auth-Type REJECT {
2024-02-14T22:31:05.611139+01:00 FortiAuthenticator radiusd[26760]: (243) facauth: Updated auth log '501fc65bc05f': 802.1x authentication failed
2024-02-14T22:31:05.611146+01:00 FortiAuthenticator radiusd[26760]: (243) [facauth] = reject
2024-02-14T22:31:05.611151+01:00 FortiAuthenticator radiusd[26760]: (243) } # Post-Auth-Type REJECT = reject
2024-02-14T22:31:05.611159+01:00 FortiAuthenticator radiusd[26760]: (243) Delaying response for 1.000000 seconds
2024-02-14T22:31:05.611171+01:00 FortiAuthenticator radiusd[26760]: Thread 3 waiting to be assigned a request
2024-02-14T22:31:05.790200+01:00 FortiAuthenticator radiusd[26760]: (238) Cleaning up request packet ID 96 with timestamp +3116
2024-02-14T22:31:05.810172+01:00 FortiAuthenticator radiusd[26760]: (239) Cleaning up request packet ID 97 with timestamp +3116
2024-02-14T22:31:05.810183+01:00 FortiAuthenticator radiusd[26760]: Waking up in 0.4 seconds.
2024-02-14T22:31:06.278169+01:00 FortiAuthenticator radiusd[26760]: Waking up in 0.3 seconds.
2024-02-14T22:31:06.614204+01:00 FortiAuthenticator radiusd[26760]: (243) Sending delayed response
2024-02-14T22:31:06.614214+01:00 FortiAuthenticator radiusd[26760]: (243) Sent Access-Reject Id 101 from 172.16.1.250:1812 to 172.16.1.240:58403 length 44
2024-02-14T22:31:06.614221+01:00 FortiAuthenticator radiusd[26760]: (243) EAP-Message = 0x04030004
2024-02-14T22:31:06.614226+01:00 FortiAuthenticator radiusd[26760]: (243) Message-Authenticator = 0x00000000000000000000000000000000
2024-02-14T22:31:06.614247+01:00 FortiAuthenticator radiusd[26760]: Waking up in 18.5 seconds.
2024-02-14T22:31:25.218201+01:00 FortiAuthenticator radiusd[26760]: (240) Cleaning up request packet ID 98 with timestamp +3136
2024-02-14T22:31:25.218212+01:00 FortiAuthenticator radiusd[26760]: (241) Cleaning up request packet ID 99 with timestamp +3136
2024-02-14T22:31:25.218218+01:00 FortiAuthenticator radiusd[26760]: Waking up in 10.3 seconds.
2024-02-14T22:31:35.618205+01:00 FortiAuthenticator radiusd[26760]: (242) Cleaning up request packet ID 100 with timestamp +3146
2024-02-14T22:31:35.618215+01:00 FortiAuthenticator radiusd[26760]: (243) Cleaning up request packet ID 101 with timestamp +3146
2024-02-14T22:31:35.618221+01:00 FortiAuthenticator radiusd[26760]: Ready to process requests

 

 

rkr
rkr
Labels:
964
0 Kudos
11 REPLIES 11
pminarik
Staff
Staff
In response to romank

Created on ‎02-19-2024 02:20 AM

Plain PAP should work for MAB with FortiAuthenticator.

[ corrections always welcome ]
176
romank
New Contributor III
In response to pminarik

Created on ‎02-19-2024 09:42 AM

Yes, it does work. But if I change to PAP the EAP-TLS dont work at all on whole SW - tplink xD i cant set auth type per int ;/

rkr
rkr
161
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.