Hello Fortinet fellows,
I am testing portal services on FAC vm.
On Fortigate I configured SSID with external captive portal using the following captive portal URL:
where 172.16.14.9 is FAC IP.
172.16.14.9 is also configured as radius server on FG.
the ssid interface ip is 172.16.15.1 (clients in range 172.16.15.0/24)
The fortiaccess point manament ip is 172.16.21.2
On FAC portal policy the AP ip is configured to be in the 172.16.21.0/24 (the ap management ip)
When client associates with the ap it successfully redirected to the captive portal.
I notice the parameter apip=172.16.21.2 in the url (see the packet capture)
However the user is failing to authenticate.
FAC logs :
2022-07-25T07:46:34.199830-07:00 FortiAuthenticator radiusd[4720]: (13) facauth: ERROR: The AP of portal policy 10 does not contain client 172.16.15.1
2022-07-25T07:46:34.199849-07:00 FortiAuthenticator radiusd[4720]: (13) Invalid user (facauth: The AP of portal policy 10 does not contain client 172.16.15.1 :( [ab] (from client localhost port 20)
I tried changing the AP ip on the portal policy to include all the 172.16.0.0/16 subnet the issue is resolved.
I wonder which AP ip should be used in the portal policy ( the ap mgmt ip or the ssid interface ip).
If the correct apip is the ssid interface ip (172.16.15.1): then why the parameter apip=172.16.21.2 appears in the redirect URL?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
do the packet capture (either on FGT or better on FAC) to catch RADIUS packets and see where the Access-Request for your wifi client came from.
IF FGT is the NAS, managing SSID and so being the Network Access Service/Server authenticating clients (the one sending RADIUS Access-Requests to RADIUS server (FAC in here)), then IP of the authorized client on FAC should be that FGT's IP.
Like in FAC log mentioned 172.16.15.1.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hello Tom,
It seems that this validation happens even before the RADIUS traffic flows between FG and the FAC. The capture only shows the http traffic and no packets seen on port 1812.
When I change the AP IP on FAC in the portal policy, I successfully see the RADIUS traffic.
Note as per the screenshot, my problem is with the AP ip not the RADIUS clients.
To keep things simple:
The "post=xxx" part of the URL must be an IP/FQDN included in "Chosen access points". (in your case = 172.16.15.1, based on the pcap)
"Chosen RADIUS Clients" must include the source IP from which the follow-up RADIUS request will come. (e.g. if the FortiGate talks to the FAC via interface port7 with IP 1.2.3.4 (unless you manually changed the source-ip with the "set source-ip" CLI option), then that 1.2.3.4 must be among the chosen RADIUS clients)
The "apip=xxx" element by default is not considered at all. It us only relevant if you chose to filter by its value in the "portal selection criteria" part of the portal policy.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.