FortiOS v5.2.5: Windows XP cannot connect to WPA2 Enterprise WiFi
We have WiFi networks with WPA2 Enterprise security successfully working in our environment. After recent firmware upgrade from v.5.2.3 to v.5.2.5 on all our FortiGate and FortiWifi boxes, old computers with Windows XP on them cannot connect to the wireless networks any longer.
Although we do not have many Windows XP installations left - none of them cannot connect to WPA2 Enterprise wireless networks. There was no such a problem before the upgrade.
All our FortiAPs units (FAP 220B, 320C, 321C) have the latest (v5.2.4 build 0245) on them.
Now, could someone explain (or, perhaps, point to some document or KB article) how a certificate being used in the course of WPA2-Enterprise client connection negotiation, and why disabling certificate validation on the client side still doesn't "fix" WiFi connectivity issue (in case of XP)?
This will just accept certificates which are not signed by a know ceritificate authority.
But the certificate will still be used to create an encrypted channel to exchange the authentication information.
Thank you for your always relevant and thoughtful responses! Because of guys like you, Fortinet Forums has become an extremely valuable resource - in many cases sharing users' knowledge and "real life" experiences through forums allows to find solutions or workarounds for issues, for which Fortinet Support does not have answers for (or take them too-o-o-o-o long to respond).
OK, let's back to the issue itself now. Well, I agree in regards to Windows XP with you, ...generally. But if have few boxes loaded with this, or any other outdated OS, which perfectly serve the purpose they were put in place for, why would you waste your time and money (a new OS license comes at a cost, right?!) to make an upgrade for the "sake of upgrade"? In our case we have a few small (book-size) computers with Windows XP, which serve as a media players to drive big screens installed at different locations to present information about courses, and other opportunities provided by our company. Windows XP is listed as supported by FortiOS 5.2 (Deploying Wireless Networks, p. 80), and, in fact, it worked just fine before upgrading to maintenance release 5, build 701. But now it doesn't and I can't figure out why.
There is nothing wrong with user's account. BTW, windows XP uses not Chap but MS-CHAPv2 for authentication. When you use a diagnose command you are referring to, it shows a successful authentication. The thing though is - with this diag command you test authentication path between wireless controller on firewall and a RADIUS server - a client itself and FortiAP it is connecting to a WiFi network through, "remain out of the picture".
In regards to your second command script involving few diag commands - it doesn't work at all. ...until you add yet one more command before the last one:
diag debug app fnbamd -1
Something has changed inside FortiOS 5.2.5, which prevent Windows XP machines from being authenticated, since nothing else has changed in the authentication path involving the following components:
I've made some troubleshooting efforts which reinforced my thinking that Windows XP is "No-Go" for WPA2 Enterprise on FortiOS v.5.2.5:
None of computers with Windows XP I tried cannot connect to the wireless network.
On the other hand, when we upgraded one of the computers to Windows 7 (same hardware, some WiFi configuration, same everything else) - it connected flawlessly.[/ul]
Still no response from Fortinet on this. This is a holiday season - perhaps, that is why. Or, maybe, they are waiting for an expert member to post a solution or explanation here, so that they could "move the case forward" .
Configuration is fine, authentication and everything else had been working flawlessly for years starting from FortiOS 4.3 and through all those builds, firmware releases, FortiGate/FortiWiFi units replacements (due to hardware failures or units upgrades) along the way until the last firmware upgrade to v.5.2.5.
In my view - this is something to do with internal changes to FortiOS rather than some "wrong doing" on my end. However, Fortinet support rep. eventually I got response from, has a different opinion:
I have been researching the issue and believe the root cause is related to Microsoft Security Advisory 3033929 (https://technet.microsoft...curity/3033929). FortiOS 5.2.5 uses a different default certificate than it did in version 5.2.3, which produces an issue on hosts that do not have the applicable SHA2 certificates update installed. Since updates such as this one are no longer back ported to Windows XP, the resolution will be to upgrade the host to at least Windows 7.
I tried FAP(5.2.3 and 5.2.5) against windows XP client. Client associated to FAP successfully with both version. Did not see connectivity issue after upgrade to 5.2.5. Here is my configurations on clients side:
1. create SSID profile under "Wireless Networks"
2. set "Network Authentication" to WPA2
3. set "Data encryption" to AES
4. then go to "Authentication"
5. select "EAP type" to "Protected EAP(PEAP)
6. click "Properties"
7. uncheck "Validate server certificate" box
8. go to "Select Authentication Method" and click "Configure"
9. uncheck "EAP MSCHAPv2 Properties"---->"Automatically use my Windows login name and password" box
10. click "OK" to save all changes
11. when client is trying to associate to AP, input user name and password manually.
The more we go with this conversation the more amusing it becomes. I've escalated the case to the next support level, and here is response from L2 TAC engineer:
As per this issue, as of 5.2.5 Windows XP is no longer supported due to compatibility reasons. The FortiGate has increased the security and is now using SHA256 certificates which is not supported under Windows XP. In short, Windows XP systems do not have SHA2 code signing support.
As Windows XP is no longer supported by Microsoft, we no longer include support for it within our devices/operating system. The resolution for this would be to upgrade the host system to Windows 7 or later.
This information can be located within the release notes for 5.2.5 REF PG 9 -> Built-In Certificate FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.
It seems to "explain" what is going on in my case. There are few reasons for me though NOT to accept such an explanation:
The statement in v.5.2.5 Release Notes says that it affects FortiGate and FortiWiFi units of D-series; I doesn't say anything about other series. And yet we have the very same issue on FortiGate/FortiWiFi units of C-series after upgrade to 5.2.5.
XP-clients still cannot connect to WPA-Enterprise even after certificate validation is disabled on the client side.
If Windows XP WiFi compatibility is among known issues, why v.5.2.5 Release Notes do not clearly states about it?
"Deploying Wireless Networks" document for FortiOS v.5.2 (and freshly released FortiOS v.5.4 for that matter!) keeps "convincing" end-users that Windows XP is, in fact, supported by latest versions of FortiOS.
But the most killing argument is the fact that some of you do not have any problem connecting Windows XP clients to WPA-Enterprise WiFi.[/ol]
OK, let's look at my particular configuration to see what might be the culprit of our post-upgrade XP-WiFi-connectivity issues. Here are relevant extracts:
config wireless-controller vap edit "TCET" set vdom "root" set ssid "TCET" set security wpa2-only-enterprise set radius-mac-auth enable set radius-mac-auth-server "TCET_RADIUS" set auth usergroup set usergroup "TCET_WLAN_Enterprise" nextend
config user group edit "TCET_WLAN_Enterprise" set member "TCET_RADIUS" config match edit 1 set server-name "TCET_RADIUS" set group-name "TCET_WLAN_Enterprise" next end nextend
config user radius edit "TCET_RADIUS" set server "10.0.0.12" set secret ENC XXX.............XXX set secondary-server "10.0.0.9" set secondary-secret ENC YYY..................YYY nextend
Microsoft IAS and NPS serve as RADIUS servers in our case.
Any ideas what might be wrong with the configuration?
set auth usergroup set usergroup "TCET_WLAN_Enterprise"
Is there any reason you want the Fortigate Certificate instead of your radius server cert? I'd point directly to the radius server in your SSID setup so the Fortigate wouldn't be involved with certs at all
set radius-mac-auth enable set radius-mac-auth-server "TCET_RADIUS"
Fort troubleshooting I'd disable the mac authentication you have above.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.