Dear All
We have deployed FortiNAC 7.6 latest version and using it for 802.1X authentication using Cisco switches and AD authentication through WinBind, authentication was working well for some customers but its not stable , now we are facing that cisco showing authentication successful but on FortiNAC its showing "unauthenticated" and remain in Isolation/authentication VLAN means VLAN change is not happening , this product is strange sometimes becomes very slow. We are using Peap MSCHAPv2 with user authentication
please suggest
Solved! Go to Solution.
There is a common misconception regarding the Authentication policy and status of the host (red A). This authentication can be treated as a second layer of authentication through the portal or Persistent Agent which is not required when the host is already authenticating with RADIUS. If this is the case make sure to not enforce Authentication because is not required.
There is a common misconception regarding the Authentication policy and status of the host (red A). This authentication can be treated as a second layer of authentication through the portal or Persistent Agent which is not required when the host is already authenticating with RADIUS. If this is the case make sure to not enforce Authentication because is not required.
HI Ebilcari
Thanks for your contribution , i unchecked "forced authentication" from switch port on FortiNAC>Inventory>switch port, now 2-3 PC are authenticating successfully and getting IP addresses too in test run case, we are monitoring the behavior and then will update. I cannot share screenshot here but on FortiNAC its still showing unauthenticated host "A" in red showing , also IP address of one host is showing in adapter options and other host is not showing , both are on same network, same authentication and windows
The host status (need authentication) should change next time the host connects in the network and the port doesn't have the authentication enforced.
The IP address of the hosts usually is learned through the L3 device that is the gateway of the hosts and have that information in its ARP table.
Hi Removed "forced authentication" check and hosts showing "A" in red and IP address not showing by the host , L3 arp table is ok i will troubleshoot again, Please let me know if we want to authentication machine also before user what should we do then? currently we are using "user authentication in PC " only
User authentication should be enough for this type of deployment. As long as the host will match a UHP of an Authentication policy, it will change the host status. Enforcement configured in the port relates to the action of VLAN switching. If it still shows as need to authenticate, check the UHP or disable the Authentication policy.
Since you are in the 7.6 branch make sure to also update to the latest version, 7.6.1 if not done yet.
Might be issue with UHP there is not much help on internet for this type of deployment , i will disbale UHP or authentiation polciy then will try , if you have any sample config of UHP policy please share and definately i will update to 7.6.1
Thank you Ebilcari
Basically you don't need an UHP or an Authentication policy at all to match with hosts that are doing RADIUS authentication with credentials (PEAP is used).
You will need an UHP to apply it to a Network Access policy in order to assign a logical network > VLAN to the host. The UHP doesn't have to be very complex as long as it specific enough to differentiate the hosts as required. An example:
You can read about the details for this options in the Administration guide.
Also refer to this article to get more information about the flow of actions from a similar example.
Created on 12-20-2024 06:34 AM Edited on 12-20-2024 06:34 AM
Than you for the information i tried to upgrade but it was auto update was failed and showing 401 unauthorized directory something. i downloaded file but dont know how to upload for upgrade.
Now i disabled forced authentication in switch its 51 VLAN as no-prod vlan , but in fortinac after authentication its showing current and default vlan 10 which is prod vlan
You can upgrade FNAC through CLI as shown in this article, but it's better to do it from the UI. You will need a case with TAC support because the credentials can not be shared publicly, other fields can be completed like this:
Regarding the current VLAN listed in the UI, this is expected behavior because it should show the VLAN that is configured through CLI in the switch. The VLANs that are sent by RADIUS are dynamic VLANs.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.