Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tagayev
New Contributor II

FortiNAC EAP-TLS and MAB Authentication Issue

Dear Fortinet TAC Support,

I am currently implementing EAP-TLS authentication in our company’s network. Our environment consists of Domain Joined PCs, IP Phones, and Printers. I have configured 802.1x with MAC Authentication Bypass (MAB) for non-EAP-capable devices. The 802.1x policy configuration is below.

 

config switch-controller security-policy 802-1X
    edit "FNAC-802-1X"
        set security-mode 802.1X-mac-based
        set user-group "FNAC-Switch"
        set mac-auth-bypass enable
        set open-auth disable
        set eap-passthru enable
        set eap-auto-untagged-vlans enable
        set guest-vlan disable
        set auth-fail-vlan enable
        set auth-fail-vlan-id "NAC_AG_Dead_End"
        set framevid-apply enable
        set radius-timeout-overwrite disable
        set authserver-timeout-vlan enable
        set authserver-timeout-vlanid "AG_Corp_WiFi"
        set authserver-timeout-tagged disable
        set dacl disable
    next
end

 


Here is the current status:

  1. EAP-TLS for Domain Joined PCs: Working as expected.
  2. MAB for Printers and IP Phones: Also functioning correctly.

However, I am encountering a strange issue with rogue PCs. These devices receive an Authenticate Response: OK from the RADIUS server instead of an Authentication Failed response. As a result, they are placed into the Registration VLAN if the Force Registration Group is applied to the port or to Default VLAN if no policy is applied.

My expectation was that these Rogue PCs would receive an Authentication Failed response and be placed into the auth-fail-vlan configured in the switch security policy.

Could you please help me understand why this is happening and how to ensure Rogue PCs are appropriately flagged as authentication failures and placed in the correct VLAN?

 

Thank you for your assistance.

FortiNAC FortiSwitch

2 REPLIES 2
AEK
SuperUser
SuperUser

Hi Tagayev

The first thing to look at is why RADIUS response is OK for rogue devices. Once this fixed I think your issue will be resolved.

BTW, are rogue still authenticated when you disable MAB?

PS: This is FTNT community, not TAC support.

AEK
AEK
ebilcari
Staff
Staff

This is the expected behavior. FortiNAC normally doesn't reject authentications but it tends to isolate the hosts, in case of Rogue for example but even when a host is disabled it will try to push a dead end VLAN and not reject. All isolation networks also have portal access to notify the end user about their status.

If you want to silently isolate the unregistered hosts you can set up a Registration VLAN in model configuration with the same value of 'NAC_AG_Dead_End' to be pushed from RADIUS or don't enforce Registration on the switch ports and set this VLAN as the Default VLAN.

The registration can also be denied for new rogue hosts that are seen in the network at device level:

deny-reg.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors