Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
anhbt
New Contributor II

Created on ‎01-21-2024 10:49 PM

FortiNAC: Cannot Authenticate wifi Client with FortiNAC radius

I am currently trying to configure FortiNAC to authenticate 802.11 for devices using Wifi. The topology is as follows: Client -> Cambium AP -> Forti NAC (Radius) -> Active Directory (User Database). FortiNAC has been configured to join AD and LDAP authentication has also been integrated with AD. When the client sends an authentication request, the log on FortiNAC may show some errors such as:

  1. ERROR: No NT-Domain was found in the User-Name
  2.  

rest_reject: EXPAND Registration - Access Deny (Post-Auth) rest_reject: --> Registration - Access Deny (Post-Auth) rest_reject: Module-Failure-Message := “Registration - Access Deny (Post-Auth)”

I’m not sure where I have misconfigured this. Please help me resolve this issue. I also attach detail log for deeper analysis in the follow link

https://drive.google.com/file/d/1EdOrojp-KYVcHPYxujuEdkmjEBjYpiKD/view?usp=drive_link

Labels:
563
0 Kudos
1 Solution
ebilcari
Staff
Staff

Created on ‎01-22-2024 01:14 AM

The first error can be ignored, usually it's not an indication of authentication failure.

You can focus on the configuration of the supplicant in the end host, the winbind process in FNAC and the device registration.

For the supplicant, if the end host is windows is recommended to follow the network wizard, connecting directly from the taskbar will not show all the options.

To check the winbind configuration you can run this commands from FNAC CLI:

> wbinfo -a EB\\gimi
Enter EB\gimi's password:
plaintext password authentication succeeded
Enter EB\gimi's password:
challenge/response password authentication succeeded

 

For device registration in FNAC, there are many ways to do it but auto registration is the easiest way in case when the hosts are authenticated via EAP:

auto reg.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

545
5 REPLIES 5
ebilcari
Staff
Staff

Created on ‎01-22-2024 01:14 AM

The first error can be ignored, usually it's not an indication of authentication failure.

You can focus on the configuration of the supplicant in the end host, the winbind process in FNAC and the device registration.

For the supplicant, if the end host is windows is recommended to follow the network wizard, connecting directly from the taskbar will not show all the options.

To check the winbind configuration you can run this commands from FNAC CLI:

> wbinfo -a EB\\gimi
Enter EB\gimi's password:
plaintext password authentication succeeded
Enter EB\gimi's password:
challenge/response password authentication succeeded

 

For device registration in FNAC, there are many ways to do it but auto registration is the easiest way in case when the hosts are authenticated via EAP:

auto reg.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
546
anhbt
New Contributor II
In response to ebilcari

Created on ‎01-23-2024 08:10 PM

Hi @ebilcari your suggestion is work. Just enable Dot1.x auto registration. Thank for your support

483
ebilcari
Staff
Staff
In response to anhbt

Created on ‎01-24-2024 12:12 AM

I'm glad it worked for your setup, you're welcome!

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
463
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎01-22-2024 01:22 AM

Try specify the domain in the username field when you login, like this: domain\username

AEK
AEK
541
anhbt
New Contributor II
In response to AEK

Created on ‎01-23-2024 08:13 PM

Thank for your feedback. @ebilcari showed me the right solution.

480
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.