Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JaapHoetmer
New Contributor III

FortiOS 6.0.1 Radius Wifi authentication

Hi all,

 

One of our customers has a FortiGate 100D running FortiOS 6.0.1, as well as several FortiAP antennas. We are experiencing problems with WPA2-Enterprise authentication using Radius on a Windows server (2008 R2).

 

This has worked before, so we suspect the issue was introduced with a recent upgrade to FortiOS 6.0.1.

 

The authentication used is MSCHAPv2.

 

No mobile device can connect to the SSID protected with WPA2-Enterprise. On a Windows 10 machine the wireless connection attempt, after providing username and password, simply says 'Unable to connect to this network'.

 

The Windows Event Viewer shows a security audit failure, stating that a request was attempted using PEAP, and the request is stopped at the connection request policy because the server doesn't understand it (The message received was unexpected or badly formatted):

 

Authentication Details:     Connection Request Policy Name:    rsso-wifi     Network Policy Name:        -     Authentication Provider:        Windows     Authentication Server:        FCDCS01.FC2.local     Authentication Type:        PEAP     EAP Type:            -     Account Session Identifier:        35424144433941352D3030303232374636     Logging Results:            Accounting information was written to the local log file.     Reason Code:            266     Reason:                The message received was unexpected or badly formatted.

 

Now when I try to execute a diag test authserver radius <servername> mschap2 <username> <password> from the firewall, the request is successful, and the event viewer shows a correct message granting access. The authentication type is correctly shown as MSCHAPv2:

 

Authentication Details:  Connection Request Policy Name: rsso-wifi  Network Policy Name: Connections to other access servers  Authentication Provider: Windows  Authentication Server: FCDCS01.FC2.local  Authentication Type: MS-CHAPv2  EAP Type: -  Account Session Identifier: 3462623464343239 Quarantine Information:  Result: Full Access  Extended-Result: -  Session Identifier: -  Help URL: -  System Health Validator Result(s): -

I suspect the Fortigate is not sending requests received from the mobile devices to the Radius server correctly. We couldn't find this particular problem in the release notes of versions 6.0.2 and 6.0.3, so we are not sure an upgrade would resolve this issue.

 

Does anybody have any further information or suggestion?

 

Thanks, much appreciated.

Jaap

Kind regards, Jaap
Kind regards, Jaap
1 REPLY 1
mfawaz
New Contributor

Hello,

 

Did you ever figure out a solution to this issue?

 

Thank you,

 

Mike

Top Kudoed Authors