I am currently trying to configure FortiNAC to authenticate 802.11 for devices using Wifi. The topology is as follows: Client -> Cambium AP -> Forti NAC (Radius) -> Active Directory (User Database). FortiNAC has been configured to join AD and LDAP authentication has also been integrated with AD. When the client sends an authentication request, the log on FortiNAC may show some errors such as:
rest_reject: EXPAND Registration - Access Deny (Post-Auth) rest_reject: --> Registration - Access Deny (Post-Auth) rest_reject: Module-Failure-Message := “Registration - Access Deny (Post-Auth)”
I’m not sure where I have misconfigured this. Please help me resolve this issue. I also attach detail log for deeper analysis in the follow link
https://drive.google.com/file/d/1EdOrojp-KYVcHPYxujuEdkmjEBjYpiKD/view?usp=drive_link
Solved! Go to Solution.
The first error can be ignored, usually it's not an indication of authentication failure.
You can focus on the configuration of the supplicant in the end host, the winbind process in FNAC and the device registration.
For the supplicant, if the end host is windows is recommended to follow the network wizard, connecting directly from the taskbar will not show all the options.
To check the winbind configuration you can run this commands from FNAC CLI:
> wbinfo -a EB\\gimi
Enter EB\gimi's password:
plaintext password authentication succeeded
Enter EB\gimi's password:
challenge/response password authentication succeeded
For device registration in FNAC, there are many ways to do it but auto registration is the easiest way in case when the hosts are authenticated via EAP:
The first error can be ignored, usually it's not an indication of authentication failure.
You can focus on the configuration of the supplicant in the end host, the winbind process in FNAC and the device registration.
For the supplicant, if the end host is windows is recommended to follow the network wizard, connecting directly from the taskbar will not show all the options.
To check the winbind configuration you can run this commands from FNAC CLI:
> wbinfo -a EB\\gimi
Enter EB\gimi's password:
plaintext password authentication succeeded
Enter EB\gimi's password:
challenge/response password authentication succeeded
For device registration in FNAC, there are many ways to do it but auto registration is the easiest way in case when the hosts are authenticated via EAP:
Hi @ebilcari your suggestion is work. Just enable Dot1.x auto registration. Thank for your support
I'm glad it worked for your setup, you're welcome!
Try specify the domain in the username field when you login, like this: domain\username
Thank for your feedback. @ebilcari showed me the right solution.
User | Count |
---|---|
1922 | |
1144 | |
769 | |
447 | |
277 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.