Created on 11-10-2023 11:43 AM Edited on 02-26-2024 05:55 AM By Kate_M
We have 2 FortiAuthenticators in seperate locations in an HA load balance. If the site that is listed in our fortigates as the primary server experiences an outage, Wifi connection is unsuccessful. I can see in the debug logs for the remaining FAC that the authentication is processed successfully but the fortigate/fortiAP is unable to successfully connect. Sites that have the remaining FortiAuth as primary instead of secondary connect successfully.
My working theory is that the remote auth failure time is too long to fail over to the secondary server for the WPA authentication to process successfully and establish a successful connection. Has anybody run in to anything similar?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I would suggest to use in one of the FGTs the secondary FAC (LB) as the primary RADIUS server or as a single server. This way you verify if the secondary FAC can actually authenticate the users properly. Sometimes the HA functions are not tested after each configuration change until a real failover happens :).
If everything is working fine than in this case the reason of failing authentications could be the FGT not detecting the first RADIUS server as dead in time. If this is the case you can try to use the second method that is suggested in this section of the Administration guide.
I would suggest to use in one of the FGTs the secondary FAC (LB) as the primary RADIUS server or as a single server. This way you verify if the secondary FAC can actually authenticate the users properly. Sometimes the HA functions are not tested after each configuration change until a real failover happens :).
If everything is working fine than in this case the reason of failing authentications could be the FGT not detecting the first RADIUS server as dead in time. If this is the case you can try to use the second method that is suggested in this section of the Administration guide.
Correct secondary FAC LB should be listed as secondary radius server:
Only in this way the Radius Server time out will be triggered.
Please review also the following article:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-nbsp-Failover-Scenarios-of-Active...
-BR-
Nervil
It does appear that is the case, I validated the suggested solution of creating a 2nd radius profile as was mentioned in that article for simultaneous auth requests. It now successfully authenticates to our WPA2 enterprise SSID after individually breaking connection to either FAC. Appreciate the insight, Thanks.
Thank you for your feedback, glad to help.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.