We setup a FAC about a month ago and we are using it for two factor VPN with mobile foritokens and Fortinet firewalls. We have it setup to authenticate VPN users using LDAP (active directory). I am now trying to use it to authenticate users for a wireless network WPA Enterprise. I have setup a new SSID on our UniFi access points and pointed it to the FAC as the radius server for authentication. I also setup a new radius client on the FAC for the UniFi APs. I am able to authenticate if I setup the radius client for local authentication and use a local user on the FAC. The problem I have is when I try to authenticate to active directory. We are just trying to authenticate the user credentials without any certificates. When configuring the network settings on the client computers they are setup to use PEAP/Mschapv2 for user authentication and not to validate server identity via certificate. I think the mschapv2 might be causing the issue and not sure how to resolve it. I did some testing with NTRadPing and have included results below. I think by default it uses PAP which seems to work but when I choose CHAP it fails also.
Connection success
Radius setup for local auth, no EAP types selected, logging in via NTRadPing
Radius setup for local auth, PEAP selected, logging in via NTRadPing
Radius setup for local auth, PEAP selected, logging in via wifi client
Radius setup for ldap auth, no EAP types selected, logging in via NTRadPing
Radius setup for ldap auth, PEAP selected, logging in via NTRadPing
Connections fails
Radius setup for ldap auth, any EAP types, and the wifi client
Radius setup for ldap auth, any EAP types, NTRadPing if selecting CHAP
Appreciate any help
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I was able to get some logging from the unifi access pointn as I was testing the authentication. Here is what was returned in the log.
Mar 28 15:52:13 WAP281-2-44 daemon.warn hostapd: ath3: STA a0:af:bd:8a:35:c2 IEEE 802.1X: could not extract EAP-Message from RADIUS message Mar 28 15:52:13 WAP281-2-44 daemon.warn hostapd: ath3: STA a0:af:bd:8a:35:c2 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Mar 28 15:52:13 WAP281-2-44 user.info syslog: wevent.ubnt_custom_event(): EVENT_STA_LEAVE ath3: a0:af:bd:8a:35:c2 / 1 Mar 28 15:52:18 WAP281-2-44 daemon.info hostapd: ath3: STA a0:af:bd:8a:35:c2 IEEE 802.11: deauthenticated due to local deauth request
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.