FortiGate and Fortiap with Radius authentication

RandomTechGuy · ‎12-01-2023

Hi guys.

A customer asked for FortiGate WIFI with Radius authentication.

I tried to do it on a lab first.

I have windows server 2016 with a ad domain and radius server with Certificate issued.

Also I have Fortigate 40F and Fortiap 220B ( I know its old but this is what i currently have)

I have configured WPA2 Enterprise with radius server and created a group that belongs to the radius server and everything looks fine.

When i login to the wifi i put my credentials and its taking its time on checking network environment.

Eventually I'm able to login.. I'm getting apipa address and when I check the Fortigate wifi clients i see that the user is logged in and was assigned an IP.

Can you guys help ? I dont know what am i doing wrong :\

ebilcari · ‎12-05-2023

In WiFi usually the DHCP is usually wrongfully blamed :) In my experience that is not always the case.

You can check if the authentication is successful and the VLAN is returned by the RADIUS server:

or from CLI

GW # diagnose wireless-controller wlac -c sta
-------------------------------STA 1----------------------------
STA mac : 88:46...
live : 96 (ts=17605)
authed : yes
wtp : 0-10.5.32.54:25246
rId : 1
aId : 1
wId : 1
bssid : 70:4c:a5:...
cap : 0111
VLAN tag : 01ff (511)
ACL deny cnt : 0
802.11kvr :
Os Info : Android13

Since you are using an old AP to avoid any compatibility issue between the AP and the client I would suggest to temporarily change the SSID configuration to Personal and if everything works fine including DHCP and access you can revert it to Enterprise.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

RandomTechGuy · ‎12-08-2023

@ebilcari

I changed it to WPA 2 Personal and i was able to connect... I'm really lost

BTW i created a new lab for this and now in the fortigate itself i dont see that the user received ip

from dhcp

here are my configurations

ebilcari · ‎12-11-2023

Since the DHCP works with WPA2 this is now clearly an authentication or VLAN assignment issue.

What's the authentication status the output when you run this command:

GW # diagnose wireless-controller wlac -c sta

You can also get the debugs from FGT while authenticating:

diagnose debug app eap_proxy 31

debug application wpad 8

diagnose debug enable

Since you already created a fully functional Enterprise solution why don't you enable dynamic VLAN assignment through RADIUS and include the VLAN in response. You will have it ready if you want to do segmentation in the future.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

RandomTechGuy · ‎12-11-2023

Hi @ebilcari

i ran the logs.. these are the Results

ebilcari · ‎12-12-2023

RADIUS server is responding with accept:

00540.799 HOSTAPD: <0>10.x.x.x:5246<1-0> Revived 307 bytes RADIUS message from authentication server <10.0.x.x:1812> by sock 13
RADIUS message: code=2 (Access-Accept) identifier=20 length=307

the 4 way handshake looks completed:

23755.853 44:xxx <eh> ***pairwise key handshake completed*** (RSN)

and the authentication status of the host is correct:

FortiGate-60E # diagnose wireless-controller wlac -c sta
------------------------------STA 1----------------- -----------
STA mac : 44:xxxx
authed: yes
VLAN tag : 0000 (0)

I found out on of my notes that the DHCP service may be stuck sometimes for WiFi hosts, running this command have solved it, can you give it a try:

# execute wireless-controller restart-acd

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

RandomTechGuy · ‎12-12-2023

hi @ebilcari
It's important to know that yesterday before I ran the diagnose on the FortiGate

I turned on the FortiGate + server + FortiAp (The whole equipment is for lab so its not on when I'm not using) so I don't think that running this command will do anything.

Is it possible that the AP is having problems ?

ebilcari · ‎12-12-2023

I can't tell, you can run a sniffer directly in the AP to have a better view of what is happening. I have a relay in this SSID (unicast), you should see broadcast traffic.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

dbhavsar · ‎12-12-2023

Hello @RandomTechGuy

can you try disabling below settings on fortigate and reconnect again:
config system npu
set capwap-offload disable
end

- Also your AP is running on bridge mode or is it in tunnel mode? Also have you tried connecting another machine to isolate the issue [adaptor issue or something else]

DNB

RandomTechGuy · ‎12-14-2023

Hi @ebilcari I didn't have the command diag_sniffer on the AP it was version 4.0
I upgrated it to 5.2.7 and before I tried to diagnose i tested it again and I'm glad to say its working now.

I used an old AP hardware and firmware.
Thank you guys very much for you help.. I really appriciate all of your help.

@dbhavsar @vbandha @dbu @distillednetwork