Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
VicAndr
New Contributor III

FortiOS v5.2.5: Windows XP cannot connect to WPA2 Enterprise WiFi

We have WiFi networks with WPA2 Enterprise security successfully working in our environment. After recent firmware upgrade from v.5.2.3 to v.5.2.5 on all our FortiGate and FortiWifi boxes, old computers with Windows XP on them cannot connect to the wireless networks any longer.

 

Although we do not have many Windows XP installations left - none of them cannot connect to WPA2 Enterprise wireless networks. There was no such a problem before the upgrade.

 

All our FortiAPs units (FAP 220B, 320C, 321C) have the latest (v5.2.4 build 0245) on them.

 

Does anyone experience the same issue?

 

Thank you for any thoughts and ideas.

1 Solution
localhost

VicAndr wrote:

 

Now, could someone explain (or, perhaps, point to some document or KB article) how a certificate being used in the course of WPA2-Enterprise client connection negotiation, and why disabling certificate validation on the client side still doesn't "fix" WiFi connectivity issue (in case of XP)?

This will just accept certificates which are not signed by a know ceritificate authority.

But the certificate will still be used to create an encrypted channel to exchange the authentication information.

View solution in original post

22 REPLIES 22
emnoc
Esteemed Contributor III

Okay I won't bash it but Windows XP should be eliminated. Next where you using WPA-ent with windowsXp b4 the upgrade ?

 

Your choice are to diagnose the windows XP WPA-ENT or build a 2nd VAP and set WPA-Personal just for these clients.

 

to diagnose the WPA-ENT radius do the following;

 

1: test the user account using chap ( I bet your probably btw is chap related )

 

diag test authsercer  <the define servername> mscap   username password

 

Try  chap or mschap2 depending on the server

 

2: Run the diagnose commands for debug output

 

diag debug reset

diag debug en

diag debug app radius -1  

 

FWIW: the WPA-personal on a new VAP and SSID would make life easier ;)

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
VicAndr
New Contributor III

Emnoc,

 

Thank you for your always relevant and thoughtful responses! Because of guys like you, Fortinet Forums has become an extremely valuable resource - in many cases sharing users' knowledge and "real life" experiences through forums allows to find solutions or workarounds for issues, for which Fortinet Support does not have answers for (or take them too-o-o-o-o long to respond).

 

OK, let's back to the issue itself now. Well, I agree in regards to Windows XP with you, ...generally. But if have few boxes loaded with this, or any other outdated OS, which perfectly serve the purpose they were put in place for, why would you waste your time and money (a new OS license comes at a cost, right?!) to make an upgrade for the "sake of upgrade"? In our case we have a few small (book-size) computers with Windows XP, which serve as a media players to drive big screens installed at different locations to present information about courses, and other opportunities provided by our company. Windows XP is listed as supported by FortiOS 5.2 (Deploying Wireless Networks,  p. 80), and, in fact, it worked just fine before upgrading to maintenance release 5, build 701. But now it doesn't and I can't figure out why.

 

There is nothing wrong with user's account. BTW, windows XP uses not Chap but MS-CHAPv2 for authentication. When you use a diagnose command you are referring to, it shows a successful authentication. The thing though is - with this diag command you test authentication path between wireless controller on firewall and a RADIUS server - a client itself and FortiAP it is connecting to a WiFi network through, "remain out of the picture".

 

In regards to your second command script involving few diag commands - it doesn't work at all. ...until you add yet one more command before the last one:

 

diag debug app fnbamd -1

 

Something has changed inside FortiOS 5.2.5, which prevent Windows XP machines from being authenticated, since nothing else has changed in the authentication path involving the following components:

 

Mobile Client -> FortiAP -> Wireless Controller (FortiGate) -> RADIUS servers

 

I've opened the case with Fortinet Support. They asked me to run a diagnostic script - I did and submitted results to them. And now, a week later, I still do not have any response from them.

 

VicAndr
New Contributor III

I've made some troubleshooting efforts which reinforced my thinking that Windows XP is "No-Go" for WPA2 Enterprise on FortiOS v.5.2.5:

[ul]
  • None of computers with Windows XP I tried cannot connect to the wireless network.
  • On the other hand, when we upgraded one of the computers to Windows 7 (same hardware, some WiFi configuration, same everything else) - it connected flawlessly.[/ul]

    Still no response from Fortinet on this. This is a holiday season - perhaps, that is why. Or, maybe, they are waiting for an expert member to post a solution or explanation here, so that they could "move the case forward" .

  • emnoc
    Esteemed Contributor III

    FWIW Windows XP does support  WPA2-Ent but I wouldn't waste my time t-shooting it.

     

    You need to ensure that  your aware of EAP  w/msChapv2  is enabled. If it was working b4 the FortiOS you probably need to dump the show full configuration and look at the details.

     

     

     

    config user radius edit RADIUS01SRV set auth-type ms-chap_v2 set server 192.168.29.22 set secret mybada$$$secret end    

    config wireless-controller vap edit "MYWAP"

    sec encrypt AES

    set ssid GUESTNET01

    set vdom GUESTVD01

    set security

    set security wpa-enterprise

    set auth radius

    set radius-server RADIUS01SRV next end

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    VicAndr
    New Contributor III

    Configuration is fine, authentication and everything else had been working flawlessly for years starting from FortiOS 4.3 and through all those builds, firmware releases, FortiGate/FortiWiFi units replacements (due to hardware failures or units upgrades) along the way until the last firmware upgrade to v.5.2.5.

     

    In my view - this is something to do with internal changes to FortiOS rather than some "wrong doing" on my end. However, Fortinet support rep. eventually I got response from, has a different opinion:

     

    I have been researching the issue and believe the root cause is related to Microsoft Security Advisory 3033929 (https://technet.microsoft...curity/3033929).  FortiOS 5.2.5 uses a different default certificate than it did in version 5.2.3, which produces an issue on hosts that do not have the applicable SHA2 certificates update installed.  Since updates such as this one are no longer back ported to Windows XP, the resolution will be to upgrade the host to at least Windows 7.

    wanglei_FTNT

    I tried FAP(5.2.3 and 5.2.5) against windows XP client. Client associated to FAP successfully with both version. Did not see connectivity issue after upgrade to 5.2.5. Here is my configurations on clients side:

    1. create SSID profile under "Wireless Networks"

    2. set "Network Authentication" to WPA2

    3. set "Data encryption" to AES

    4. then go to "Authentication"

    5. select "EAP type" to "Protected EAP(PEAP)

    6. click "Properties"

    7. uncheck "Validate server certificate" box

    8. go to "Select Authentication Method" and click "Configure"

    9. uncheck "EAP MSCHAPv2 Properties"---->"Automatically use my Windows login name and password" box

    10. click "OK" to save all changes

    11. when client is trying to associate to AP, input user name and password manually.

     

     

     

     

    emnoc
    Esteemed Contributor III

    THanks for posting

     

    I was going to post the same. I personally don't believe the SHA2 certificate is the issue.

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    VicAndr
    New Contributor III

    Happy New Year folks!

     

    The more we go with this conversation the more amusing it becomes. I've escalated the case to the next support level, and here is response from L2 TAC engineer:

     

    As per this issue, as of 5.2.5 Windows XP is no longer supported due to compatibility reasons. The FortiGate has increased the security and is now using SHA256 certificates which is not supported under Windows XP. In short, Windows XP systems do not have SHA2 code signing support.

    As Windows XP is no longer supported by Microsoft, we no longer include support for it within our devices/operating system. The resolution for this would be to upgrade the host system to Windows 7 or later.

    This information can be located within the release notes for 5.2.5 REF PG 9 -> Built-In Certificate FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

     

    It seems to "explain" what is going on in my case. There are few reasons for me though NOT to accept such an explanation:

     

    [ol]
  • The statement in v.5.2.5 Release Notes says that it affects FortiGate and FortiWiFi units of D-series; I doesn't say anything about other series. And yet we have the very same issue on FortiGate/FortiWiFi units of C-series after upgrade to 5.2.5.
  • XP-clients still cannot connect to WPA-Enterprise even after certificate validation is disabled on the client side.
  • If Windows XP WiFi compatibility is among known issues, why v.5.2.5 Release Notes do not clearly states about it?
  • "Deploying Wireless Networks" document for FortiOS v.5.2 (and freshly released FortiOS v.5.4 for that matter!) keeps "convincing" end-users that Windows XP is, in fact, supported by latest versions of FortiOS.
  • But the most killing argument is the fact that some of you do not have any problem connecting Windows XP clients to WPA-Enterprise WiFi.[/ol]

     

    OK, let's look at my particular configuration to see what might be the culprit of our post-upgrade XP-WiFi-connectivity issues. Here are relevant extracts:

     

    config wireless-controller vap     edit "TCET"         set vdom "root"         set ssid "TCET"         set security wpa2-only-enterprise         set radius-mac-auth enable         set radius-mac-auth-server "TCET_RADIUS"         set auth usergroup         set usergroup "TCET_WLAN_Enterprise"     next end

    config user group     edit "TCET_WLAN_Enterprise"         set member "TCET_RADIUS"             config match                 edit 1                     set server-name "TCET_RADIUS"                     set group-name "TCET_WLAN_Enterprise"                 next             end     next end

    config user radius     edit "TCET_RADIUS"         set server "10.0.0.12"         set secret ENC XXX.............XXX         set secondary-server "10.0.0.9"         set secondary-secret ENC YYY..................YYY     next end

     

    Microsoft IAS and NPS serve as RADIUS servers in our case.

     

    Any ideas what might be wrong with the configuration?

  • Bromont_FTNT

    set auth usergroup         set usergroup "TCET_WLAN_Enterprise"

     

    Is there any reason you want the Fortigate Certificate instead of your radius server cert? I'd point directly to the radius server in your SSID setup so the Fortigate wouldn't be involved with certs at all

     

    set radius-mac-auth enable         set radius-mac-auth-server "TCET_RADIUS"

    Fort troubleshooting I'd disable the mac authentication you have above.

     

    Top Kudoed Authors