Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RandomTechGuy
New Contributor II

FortiGate and Fortiap with Radius authentication

Hi guys.

A customer  asked for FortiGate WIFI with Radius authentication.

I tried to do it on a lab first.

I have windows server 2016 with a ad domain and radius server with Certificate issued.

Also I have Fortigate 40F and Fortiap 220B ( I know its old but this is what i currently have)

I have configured WPA2  Enterprise with radius server and created a group that belongs to the radius server and everything looks fine.

When i login to the wifi i put my credentials and its taking its time on checking network environment.

Eventually I'm able to login.. I'm getting apipa address and when I check the Fortigate wifi clients i see that the user is logged in and was assigned an IP.

Can you guys help ? I dont know what am i doing wrong :\

18 REPLIES 18
ebilcari
Staff
Staff

In WiFi usually the DHCP is usually wrongfully blamed :) In my experience that is not always the case. 

You can check if the authentication is successful and the VLAN is returned by the RADIUS server:

VLAN ID.PNG

or from CLI

GW # diagnose wireless-controller wlac -c sta
-------------------------------STA 1----------------------------
STA mac : 88:46...
live : 96 (ts=17605)
authed : yes
wtp : 0-10.5.32.54:25246
rId : 1
aId : 1
wId : 1
bssid : 70:4c:a5:...
cap : 0111
VLAN tag : 01ff (511)
ACL deny cnt : 0
802.11kvr :
Os Info : Android13

 

Since you are using an old AP to avoid any compatibility issue between the AP and the client I would suggest to temporarily change the SSID configuration to Personal and if everything works fine including DHCP and access you can revert it to Enterprise.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
RandomTechGuy
New Contributor II

@ebilcari 

I changed it to WPA 2 Personal and i was able to connect... I'm really lost

 

BTW i created a new lab for this and now in the fortigate itself i dont see that the user received ip

from dhcp 

 

here are my configurations

1.PNG2.PNG3.PNG4.PNG5.PNG6.PNG7.PNG8.PNG9.PNG10.PNG

ebilcari

Since the DHCP works with WPA2 this is now clearly an authentication or VLAN assignment issue.

What's the authentication status the output when you run this command:

GW # diagnose wireless-controller wlac -c sta

 

You can also get the debugs from FGT while authenticating:

diagnose debug app eap_proxy 31

debug application wpad 8

diagnose debug enable

 

Since you already created a fully functional Enterprise solution why don't you enable dynamic VLAN assignment through RADIUS and include the VLAN in response. You will have it ready if you want to do segmentation in the future.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
RandomTechGuy
New Contributor II

 

Hi @ebilcari 

i ran the logs.. these are the Results 

ebilcari

RADIUS server is responding with accept:

00540.799 HOSTAPD: <0>10.x.x.x:5246<1-0> Revived 307 bytes RADIUS message from authentication server <10.0.x.x:1812> by sock 13
RADIUS message: code=2 (Access-Accept) identifier=20 length=307

the 4 way handshake looks completed:

23755.853 44:xxx <eh> ***pairwise key handshake completed*** (RSN)

and the authentication status of the host is correct:

FortiGate-60E # diagnose wireless-controller wlac -c sta
------------------------------STA 1----------------- -----------
STA mac : 44:xxxx
authed: yes
VLAN tag : 0000 (0)

 

I found out on of my notes that the DHCP service may be stuck sometimes for WiFi hosts, running this command have solved it, can you give it a try:

# execute wireless-controller restart-acd

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
RandomTechGuy
New Contributor II

hi @ebilcari 
It's important to know that yesterday before I ran the diagnose on the FortiGate

I turned on the FortiGate + server + FortiAp (The whole equipment is for lab so its not on when I'm not using) so I don't think that running this command will do anything.

Is it possible that the AP is having problems ?

ebilcari

I can't tell, you can run a sniffer directly in the AP to have a better view of what is happening. I have a relay in this SSID (unicast), you should see broadcast traffic.

sniffer.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
dbhavsar
Staff
Staff

Hello @RandomTechGuy 

 

can you try disabling below settings on fortigate and reconnect again:
config system npu
    set capwap-offload disable
end

- Also your AP is running on bridge mode or is it in tunnel mode? Also have you tried connecting another machine to isolate the issue [adaptor issue or something else]

DNB
RandomTechGuy
New Contributor II

Hi @ebilcari I didn't have the command diag_sniffer on the AP it was version 4.0
I upgrated it to 5.2.7 and before I tried to diagnose i tested it again and I'm glad to say its working now.

I used an old AP hardware and firmware.
Thank you guys very much for you help.. I  really appriciate all of your help.

@dbhavsar @vbandha @dbu @distillednetwork 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors