Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TheElegantDuckBill
New Contributor

Created on ‎11-10-2023 11:43 AM Edited on ‎02-26-2024 05:55 AM By Community Manager

FortiAuthenticator HA Load Balance WPA2 Enterprise cant connect during single site failure

We have 2 FortiAuthenticators in seperate locations in an HA load balance. If the site that is listed in our fortigates as the primary server experiences an outage, Wifi connection is unsuccessful. I can see in the debug logs for the remaining FAC that the authentication is processed successfully but the fortigate/fortiAP is unable to successfully connect. Sites that have the remaining FortiAuth as primary instead of secondary connect successfully.

 

My working theory is that the remote auth failure time is too long to fail over to the secondary server for the WPA authentication to process successfully and establish a successful connection. Has anybody run in to anything similar?

594
1 Solution
ebilcari
Staff
Staff

Created on ‎11-12-2023 01:55 AM

I would suggest to use in one of the FGTs the secondary FAC (LB) as the primary RADIUS server or as a single server. This way you verify if the secondary FAC can actually authenticate the users properly. Sometimes the HA functions are not tested after each configuration change until a real failover happens :).

If everything is working fine than in this case the reason of failing authentications could be the FGT not detecting the first RADIUS server as dead in time. If this is the case you can try to use the second method that is suggested in this section of the Administration guide.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

558
4 REPLIES 4
ebilcari
Staff
Staff

Created on ‎11-12-2023 01:55 AM

I would suggest to use in one of the FGTs the secondary FAC (LB) as the primary RADIUS server or as a single server. This way you verify if the secondary FAC can actually authenticate the users properly. Sometimes the HA functions are not tested after each configuration change until a real failover happens :).

If everything is working fine than in this case the reason of failing authentications could be the FGT not detecting the first RADIUS server as dead in time. If this is the case you can try to use the second method that is suggested in this section of the Administration guide.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
559
ndumaj
Staff
Staff
In response to ebilcari

Created on ‎11-12-2023 02:15 AM

 Correct secondary FAC LB should be listed as secondary radius server:

 

Radius client(1).png

Only in this way the Radius Server time out will be triggered.

Please review also the following article:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-nbsp-Failover-Scenarios-of-Active...

-BR-
Nervil

- Happy to help, hit like and accept the solution -
549
0 Kudos
TheElegantDuckBill
New Contributor
In response to ebilcari

Created on ‎11-14-2023 12:40 PM

It does appear that is the case, I validated the suggested solution of creating a 2nd radius profile as was mentioned in that article for simultaneous auth requests. It now successfully authenticates to our WPA2 enterprise SSID after individually breaking connection to either FAC. Appreciate the insight, Thanks.

505
ebilcari
Staff
Staff
In response to TheElegantDuckBill

Created on ‎11-15-2023 12:10 AM

Thank you for your feedback, glad to help.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
491
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.