FortiGate and Fortiap with Radius authentication

RandomTechGuy · ‎12-01-2023

Hi guys.

A customer asked for FortiGate WIFI with Radius authentication.

I tried to do it on a lab first.

I have windows server 2016 with a ad domain and radius server with Certificate issued.

Also I have Fortigate 40F and Fortiap 220B ( I know its old but this is what i currently have)

I have configured WPA2 Enterprise with radius server and created a group that belongs to the radius server and everything looks fine.

When i login to the wifi i put my credentials and its taking its time on checking network environment.

Eventually I'm able to login.. I'm getting apipa address and when I check the Fortigate wifi clients i see that the user is logged in and was assigned an IP.

Can you guys help ? I dont know what am i doing wrong :\

dbu · ‎12-01-2023

It looks like there is some issue with the DHCP server configured for this VPN . Doble check the configuration and DHCP scope

On the FortiGate what IP do you see for this user? Same APIPA?
You can also run packet capture to see if the DHCP negotiation process.

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

distillednetwork · ‎12-01-2023

A couple of questions to help narrow it down:

Are you using a bridge or tunnel SSID?

- If bridged did you assign a default vlan?

- If Tunneled do you have the DHCP server enabled on that ssid interface?

Are you trying to send back any vlans in the radius response or just an access-accept?

RandomTechGuy · ‎12-01-2023

@dbu
Hi its on the same scope and in the DHCP I see the domain and the user and a legitimate IP for exmaple 10.40.40.2

I tried to see dhcp negotiation by running this commands

diag debug reset
diag debug application dhcpc -1
diag debug enable

and it didn't show any results..

@distillednetwork

I used tunnel with DHCP server enabled

And i think its just access accept.. if the user is in a group "WIFI" so it can get access to the internet

I

dbu · ‎12-02-2023

You can run a packet capture and filter with port 67/68 :
diag sniffer packet <interface_name/any> "port 67 or port 68" 6 0 1

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

jiahoong112 · ‎12-02-2023

if you are using fortigate wireless-controller as the dhcp server, these debugs should be run instead. dhcps is for fortigate as dhcp server. dhcpc is for fortigate as dhcp client.

# diag deb app dhcps -1

# diag deb enable

your issue seems to be that authentication is successful but dhcp ip assignment is failing. in wlan, authentication is done first before dhcp ip is obtained

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**

RandomTechGuy · ‎12-02-2023

@dbu @jiahoong112

I ran the commands but it doesn't show anything

I see in the DHCP that the mac address got an IP with username and password

dbu · ‎12-03-2023

Can you try to assign an IP address manually as per the IP pool it should belong to and try again if it works?

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

distillednetwork · ‎12-03-2023

if you look at the scope are there any DHCP options that are set?

config system dhcp server

I would also run a wireshark capture on the client and see if you get the DHCP OFFER to the client.

vbandha · ‎12-03-2023

@RandomTechGuy

Release the IP for the end device and then run the packet sniffer for DHCP:
diag sniffer packet any "port 67 or port 68" 4 0 l

Also run wireshark on end device at the same time

Check if the DORA process completes on both sides.

When Fortigates sends offer, it will put the IP in DHCP lease even if DORA has not completed. So in that case you would see IP Assigned on fortigate but no IP on end device.