Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TheElegantDuckBill
New Contributor

FortiAuthenticator HA Load Balance WPA2 Enterprise cant connect during single site failure

We have 2 FortiAuthenticators in seperate locations in an HA load balance. If the site that is listed in our fortigates as the primary server experiences an outage, Wifi connection is unsuccessful. I can see in the debug logs for the remaining FAC that the authentication is processed successfully but the fortigate/fortiAP is unable to successfully connect. Sites that have the remaining FortiAuth as primary instead of secondary connect successfully.

 

My working theory is that the remote auth failure time is too long to fail over to the secondary server for the WPA authentication to process successfully and establish a successful connection. Has anybody run in to anything similar?

1 Solution
ebilcari
Staff
Staff

I would suggest to use in one of the FGTs the secondary FAC (LB) as the primary RADIUS server or as a single server. This way you verify if the secondary FAC can actually authenticate the users properly. Sometimes the HA functions are not tested after each configuration change until a real failover happens :).

If everything is working fine than in this case the reason of failing authentications could be the FGT not detecting the first RADIUS server as dead in time. If this is the case you can try to use the second method that is suggested in this section of the Administration guide.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

4 REPLIES 4
ebilcari
Staff
Staff

I would suggest to use in one of the FGTs the secondary FAC (LB) as the primary RADIUS server or as a single server. This way you verify if the secondary FAC can actually authenticate the users properly. Sometimes the HA functions are not tested after each configuration change until a real failover happens :).

If everything is working fine than in this case the reason of failing authentications could be the FGT not detecting the first RADIUS server as dead in time. If this is the case you can try to use the second method that is suggested in this section of the Administration guide.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
ndumaj

 Correct secondary FAC LB should be listed as secondary radius server:

 

Radius client(1).png

Only in this way the Radius Server time out will be triggered.

Please review also the following article:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-nbsp-Failover-Scenarios-of-Active...

-BR-
Nervil

- Happy to help, hit like and accept the solution -
TheElegantDuckBill

It does appear that is the case, I validated the suggested solution of creating a 2nd radius profile as was mentioned in that article for simultaneous auth requests. It now successfully authenticates to our WPA2 enterprise SSID after individually breaking connection to either FAC. Appreciate the insight, Thanks.

ebilcari

Thank you for your feedback, glad to help.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Top Kudoed Authors