Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Khurramtariq
New Contributor II

Created on ‎02-10-2025 03:17 AM

FortiNAC-802.1X User Credntial Failed MSCHAPv2

Dear FortiNAC Experts

We have FortiNAC 7.6 - 802.1X Radius is configured with Cisco Switches and authentication is through LDAP-WinBind MSCHAPv2 , PC machines are windows 11, Now we are facing issue with new users / password change of the user or if user login to other PC in same domain, FortiNAC throw error credential failed when we change password in AD or new user logins.In this setup i think user does not have access to LDAP before logging into machine. it does not allow to enter credentials etc  how to fix this issue

Thanks in advance

FortiNAC  

@ebilcari 

 

 

Labels:
195
0 Kudos
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎02-10-2025 10:40 AM

Hi Tarik

It's been a year (or more) since I worked on FNAC, but as far as I remember the WinBind mode has few limitations comparing to proxy mode.

If I'm not wrong, for new users the LDAP user DB in FNAC is synchronized once a day, right? So in order to make sure this is the root cause, you may try run a manual sync of your LDAP user DB on FNAC. If it works then you can change the sync rate from FNAC, but I can't remember from which menu item :(

Hope it helps a bit.

AEK
AEK
163
Khurramtariq
New Contributor II
In response to AEK

Created on ‎02-14-2025 03:38 AM

HI AEK

Thanks for your reply,  we tried to anually sync AD in FortiNAC but its accepting credential change or when new users comes, only solution is to remove from FortiNAC and sign in make credential ached and then re  login through FortiNAC

134
0 Kudos
ebilcari
Staff
Staff
In response to Khurramtariq

Created on ‎02-18-2025 01:20 AM

The AD synchronization will update user attributes and groups, credentials are checked in real-time during authentication.

If the supplicant in the end host (Win 11) is configured to save credentials, after the password is changed in the AD side, the supplicant will still use the old cached credentials. This behavior should be changed on the end host configurations, usually a GPO is used. From the FNAC perspective these credentials don't match and that's why the authentication fails and this is not a FNAC limitation.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
98
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.