Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Akmostafa
New Contributor III

FortiAuthenticator portal fails (wrong AP IP)

Hello Fortinet fellows,

 

I am testing portal services on FAC vm.

On Fortigate I configured SSID with external captive portal using the following captive portal URL:

http://172.16.14.9/portal/

where 172.16.14.9 is FAC IP.

172.16.14.9 is also configured as radius server on FG.

the ssid interface ip is 172.16.15.1 (clients in range 172.16.15.0/24)

 

The fortiaccess point manament ip is 172.16.21.2

 

On FAC portal policy the AP ip is configured to be in the 172.16.21.0/24 (the ap management  ip)

When client associates with the ap it successfully redirected to the captive portal.

I notice the parameter apip=172.16.21.2 in the url (see the packet capture)

 

However the user is failing to authenticate.

 

FAC logs :

 

2022-07-25T07:46:34.199830-07:00 FortiAuthenticator radiusd[4720]: (13) facauth: ERROR: The AP of portal policy 10 does not contain client 172.16.15.1
2022-07-25T07:46:34.199849-07:00 FortiAuthenticator radiusd[4720]: (13) Invalid user (facauth: The AP of portal policy 10 does not contain client 172.16.15.1 :( [ab] (from client localhost port 20)

 

I tried changing the AP ip on the portal policy to include all the 172.16.0.0/16 subnet the issue is resolved.

 

I wonder which AP ip should be used in the portal policy ( the ap mgmt ip or the ssid interface ip).

If the correct apip is the ssid interface ip (172.16.15.1): then why the parameter apip=172.16.21.2 appears in the redirect URL?

 

Akmostafa_0-1658761381029.png

 

3 REPLIES 3
xsilver_FTNT
Staff
Staff

Hi,

do the packet capture (either on FGT or better on FAC) to catch RADIUS packets and see where the Access-Request for your wifi client came from.

IF FGT is the NAS, managing SSID and so being the Network Access Service/Server authenticating clients (the one sending RADIUS Access-Requests to RADIUS server (FAC in here)), then IP of the authorized client on FAC should be that FGT's IP.

Like in FAC log mentioned 172.16.15.1.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Akmostafa

Hello Tom,

 

It seems that this validation happens even before the RADIUS traffic flows between FG and the FAC. The capture only shows the http traffic and no packets seen on port 1812.

When I change the AP IP on FAC in the portal policy, I successfully see the RADIUS traffic.

 

Note as per the screenshot, my problem is with the AP ip not the RADIUS clients.

 

Akmostafa_0-1658847567523.png

Akmostafa_1-1658847645642.png

 

pminarik
Staff
Staff

To keep things simple:
The "post=xxx" part of the URL must be an IP/FQDN included in "Chosen access points". (in your case = 172.16.15.1, based on the pcap)

 

"Chosen RADIUS Clients" must include the source IP from which the follow-up RADIUS request will come. (e.g. if the FortiGate talks to the FAC via interface port7 with IP 1.2.3.4 (unless you manually changed the source-ip with the "set source-ip" CLI option), then that 1.2.3.4 must be among the chosen RADIUS clients)

 

The "apip=xxx" element by default is not considered at all. It us only relevant if you chose to filter by its value in the "portal selection criteria" part of the portal policy.

[ corrections always welcome ]
Labels
Top Kudoed Authors