Hi guys.
A customer asked for FortiGate WIFI with Radius authentication.
I tried to do it on a lab first.
I have windows server 2016 with a ad domain and radius server with Certificate issued.
Also I have Fortigate 40F and Fortiap 220B ( I know its old but this is what i currently have)
I have configured WPA2 Enterprise with radius server and created a group that belongs to the radius server and everything looks fine.
When i login to the wifi i put my credentials and its taking its time on checking network environment.
Eventually I'm able to login.. I'm getting apipa address and when I check the Fortigate wifi clients i see that the user is logged in and was assigned an IP.
Can you guys help ? I dont know what am i doing wrong :\
It looks like there is some issue with the DHCP server configured for this VPN . Doble check the configuration and DHCP scope
On the FortiGate what IP do you see for this user? Same APIPA?
You can also run packet capture to see if the DHCP negotiation process.
A couple of questions to help narrow it down:
Are you using a bridge or tunnel SSID?
- If bridged did you assign a default vlan?
- If Tunneled do you have the DHCP server enabled on that ssid interface?
Are you trying to send back any vlans in the radius response or just an access-accept?
@dbu
Hi its on the same scope and in the DHCP I see the domain and the user and a legitimate IP for exmaple 10.40.40.2
I tried to see dhcp negotiation by running this commands
diag debug reset
diag debug application dhcpc -1
diag debug enable
and it didn't show any results..
I used tunnel with DHCP server enabled
And i think its just access accept.. if the user is in a group "WIFI" so it can get access to the internet
I
You can run a packet capture and filter with port 67/68 :
diag sniffer packet <interface_name/any> "port 67 or port 68" 6 0 1
if you are using fortigate wireless-controller as the dhcp server, these debugs should be run instead. dhcps is for fortigate as dhcp server. dhcpc is for fortigate as dhcp client.
# diag deb app dhcps -1
# diag deb enable
your issue seems to be that authentication is successful but dhcp ip assignment is failing. in wlan, authentication is done first before dhcp ip is obtained
I ran the commands but it doesn't show anything
I see in the DHCP that the mac address got an IP with username and password
Can you try to assign an IP address manually as per the IP pool it should belong to and try again if it works?
if you look at the scope are there any DHCP options that are set?
config system dhcp server
I would also run a wireshark capture on the client and see if you get the DHCP OFFER to the client.
Release the IP for the end device and then run the packet sniffer for DHCP:
diag sniffer packet any "port 67 or port 68" 4 0 l
Also run wireshark on end device at the same time
Check if the DORA process completes on both sides.
When Fortigates sends offer, it will put the IP in DHCP lease even if DORA has not completed. So in that case you would see IP Assigned on fortigate but no IP on end device.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.