Hi guys.
A customer asked for FortiGate WIFI with Radius authentication.
I tried to do it on a lab first.
I have windows server 2016 with a ad domain and radius server with Certificate issued.
Also I have Fortigate 40F and Fortiap 220B ( I know its old but this is what i currently have)
I have configured WPA2 Enterprise with radius server and created a group that belongs to the radius server and everything looks fine.
When i login to the wifi i put my credentials and its taking its time on checking network environment.
Eventually I'm able to login.. I'm getting apipa address and when I check the Fortigate wifi clients i see that the user is logged in and was assigned an IP.
Can you guys help ? I dont know what am i doing wrong :\
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
In WiFi usually the DHCP is usually wrongfully blamed :) In my experience that is not always the case.
You can check if the authentication is successful and the VLAN is returned by the RADIUS server:
or from CLI
GW # diagnose wireless-controller wlac -c sta
-------------------------------STA 1----------------------------
STA mac : 88:46...
live : 96 (ts=17605)
authed : yes
wtp : 0-10.5.32.54:25246
rId : 1
aId : 1
wId : 1
bssid : 70:4c:a5:...
cap : 0111
VLAN tag : 01ff (511)
ACL deny cnt : 0
802.11kvr :
Os Info : Android13
Since you are using an old AP to avoid any compatibility issue between the AP and the client I would suggest to temporarily change the SSID configuration to Personal and if everything works fine including DHCP and access you can revert it to Enterprise.
I changed it to WPA 2 Personal and i was able to connect... I'm really lost
BTW i created a new lab for this and now in the fortigate itself i dont see that the user received ip
from dhcp
here are my configurations
Since the DHCP works with WPA2 this is now clearly an authentication or VLAN assignment issue.
What's the authentication status the output when you run this command:
GW # diagnose wireless-controller wlac -c sta
You can also get the debugs from FGT while authenticating:
diagnose debug app eap_proxy 31
debug application wpad 8
diagnose debug enable
Since you already created a fully functional Enterprise solution why don't you enable dynamic VLAN assignment through RADIUS and include the VLAN in response. You will have it ready if you want to do segmentation in the future.
RADIUS server is responding with accept:
00540.799 HOSTAPD: <0>10.x.x.x:5246<1-0> Revived 307 bytes RADIUS message from authentication server <10.0.x.x:1812> by sock 13
RADIUS message: code=2 (Access-Accept) identifier=20 length=307
the 4 way handshake looks completed:
23755.853 44:xxx <eh> ***pairwise key handshake completed*** (RSN)
and the authentication status of the host is correct:
FortiGate-60E # diagnose wireless-controller wlac -c sta
------------------------------STA 1----------------- -----------
STA mac : 44:xxxx
authed: yes
VLAN tag : 0000 (0)
I found out on of my notes that the DHCP service may be stuck sometimes for WiFi hosts, running this command have solved it, can you give it a try:
# execute wireless-controller restart-acd
hi @ebilcari
It's important to know that yesterday before I ran the diagnose on the FortiGate
I turned on the FortiGate + server + FortiAp (The whole equipment is for lab so its not on when I'm not using) so I don't think that running this command will do anything.
Is it possible that the AP is having problems ?
I can't tell, you can run a sniffer directly in the AP to have a better view of what is happening. I have a relay in this SSID (unicast), you should see broadcast traffic.
Hello @RandomTechGuy
can you try disabling below settings on fortigate and reconnect again:
config system npu
set capwap-offload disable
end
- Also your AP is running on bridge mode or is it in tunnel mode? Also have you tried connecting another machine to isolate the issue [adaptor issue or something else]
Hi @ebilcari I didn't have the command diag_sniffer on the AP it was version 4.0
I upgrated it to 5.2.7 and before I tried to diagnose i tested it again and I'm glad to say its working now.
I used an old AP hardware and firmware.
Thank you guys very much for you help.. I really appriciate all of your help.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1697 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.