Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
anhbt
New Contributor II

FortiNAC: Cannot Authenticate wifi Client with FortiNAC radius

I am currently trying to configure FortiNAC to authenticate 802.11 for devices using Wifi. The topology is as follows: Client -> Cambium AP -> Forti NAC (Radius) -> Active Directory (User Database). FortiNAC has been configured to join AD and LDAP authentication has also been integrated with AD. When the client sends an authentication request, the log on FortiNAC may show some errors such as:

  1. ERROR: No NT-Domain was found in the User-Name
  2.  

rest_reject: EXPAND Registration - Access Deny (Post-Auth) rest_reject: --> Registration - Access Deny (Post-Auth) rest_reject: Module-Failure-Message := “Registration - Access Deny (Post-Auth)”

I’m not sure where I have misconfigured this. Please help me resolve this issue. I also attach detail log for deeper analysis in the follow link

https://drive.google.com/file/d/1EdOrojp-KYVcHPYxujuEdkmjEBjYpiKD/view?usp=drive_link

1 Solution
ebilcari
Staff
Staff

The first error can be ignored, usually it's not an indication of authentication failure.

You can focus on the configuration of the supplicant in the end host, the winbind process in FNAC and the device registration.

For the supplicant, if the end host is windows is recommended to follow the network wizard, connecting directly from the taskbar will not show all the options.

To check the winbind configuration you can run this commands from FNAC CLI:

> wbinfo -a EB\\gimi
Enter EB\gimi's password:
plaintext password authentication succeeded
Enter EB\gimi's password:
challenge/response password authentication succeeded

 

For device registration in FNAC, there are many ways to do it but auto registration is the easiest way in case when the hosts are authenticated via EAP:

auto reg.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

5 REPLIES 5
ebilcari
Staff
Staff

The first error can be ignored, usually it's not an indication of authentication failure.

You can focus on the configuration of the supplicant in the end host, the winbind process in FNAC and the device registration.

For the supplicant, if the end host is windows is recommended to follow the network wizard, connecting directly from the taskbar will not show all the options.

To check the winbind configuration you can run this commands from FNAC CLI:

> wbinfo -a EB\\gimi
Enter EB\gimi's password:
plaintext password authentication succeeded
Enter EB\gimi's password:
challenge/response password authentication succeeded

 

For device registration in FNAC, there are many ways to do it but auto registration is the easiest way in case when the hosts are authenticated via EAP:

auto reg.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
anhbt
New Contributor II

Hi @ebilcari your suggestion is work. Just enable Dot1.x auto registration. Thank for your support

ebilcari

I'm glad it worked for your setup, you're welcome!

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
AEK
Honored Contributor

Try specify the domain in the username field when you login, like this: domain\username

AEK
AEK
anhbt
New Contributor II

Thank for your feedback. @ebilcari showed me the right solution.

Labels
Top Kudoed Authors