Created on
‎11-10-2023
11:43 AM
Edited on
‎02-26-2024
05:55 AM
By
Kate_M
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAuthenticator HA Load Balance WPA2 Enterprise cant connect during single site failure
We have 2 FortiAuthenticators in seperate locations in an HA load balance. If the site that is listed in our fortigates as the primary server experiences an outage, Wifi connection is unsuccessful. I can see in the debug logs for the remaining FAC that the authentication is processed successfully but the fortigate/fortiAP is unable to successfully connect. Sites that have the remaining FortiAuth as primary instead of secondary connect successfully.
My working theory is that the remote auth failure time is too long to fail over to the secondary server for the WPA authentication to process successfully and establish a successful connection. Has anybody run in to anything similar?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest to use in one of the FGTs the secondary FAC (LB) as the primary RADIUS server or as a single server. This way you verify if the secondary FAC can actually authenticate the users properly. Sometimes the HA functions are not tested after each configuration change until a real failover happens :).
If everything is working fine than in this case the reason of failing authentications could be the FGT not detecting the first RADIUS server as dead in time. If this is the case you can try to use the second method that is suggested in this section of the Administration guide.
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest to use in one of the FGTs the secondary FAC (LB) as the primary RADIUS server or as a single server. This way you verify if the secondary FAC can actually authenticate the users properly. Sometimes the HA functions are not tested after each configuration change until a real failover happens :).
If everything is working fine than in this case the reason of failing authentications could be the FGT not detecting the first RADIUS server as dead in time. If this is the case you can try to use the second method that is suggested in this section of the Administration guide.
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
 Correct secondary FAC LB should be listed as secondary radius server:
Only in this way the Radius Server time out will be triggered.
Please review also the following article:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-nbsp-Failover-Scenarios-of-Active...
-BR-
Nervil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It does appear that is the case, I validated the suggested solution of creating a 2nd radius profile as was mentioned in that article for simultaneous auth requests. It now successfully authenticates to our WPA2 enterprise SSID after individually breaking connection to either FAC. Appreciate the insight, Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your feedback, glad to help.
If you have found a solution, please like and accept it to make it easily accessible for others.
