We have WiFi networks with WPA2 Enterprise security successfully working in our environment. After recent firmware upgrade from v.5.2.3 to v.5.2.5 on all our FortiGate and FortiWifi boxes, old computers with Windows XP on them cannot connect to the wireless networks any longer.
Although we do not have many Windows XP installations left - none of them cannot connect to WPA2 Enterprise wireless networks. There was no such a problem before the upgrade.
All our FortiAPs units (FAP 220B, 320C, 321C) have the latest (v5.2.4 build 0245) on them.
Does anyone experience the same issue?
Thank you for any thoughts and ideas.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
VicAndr wrote:
Now, could someone explain (or, perhaps, point to some document or KB article) how a certificate being used in the course of WPA2-Enterprise client connection negotiation, and why disabling certificate validation on the client side still doesn't "fix" WiFi connectivity issue (in case of XP)?
This will just accept certificates which are not signed by a know ceritificate authority.
But the certificate will still be used to create an encrypted channel to exchange the authentication information.
Okay I won't bash it but Windows XP should be eliminated. Next where you using WPA-ent with windowsXp b4 the upgrade ?
Your choice are to diagnose the windows XP WPA-ENT or build a 2nd VAP and set WPA-Personal just for these clients.
to diagnose the WPA-ENT radius do the following;
1: test the user account using chap ( I bet your probably btw is chap related )
diag test authsercer <the define servername> mscap username password
Try chap or mschap2 depending on the server
2: Run the diagnose commands for debug output
diag debug reset
diag debug en
diag debug app radius -1
FWIW: the WPA-personal on a new VAP and SSID would make life easier ;)
PCNSE
NSE
StrongSwan
Emnoc,
Thank you for your always relevant and thoughtful responses! Because of guys like you, Fortinet Forums has become an extremely valuable resource - in many cases sharing users' knowledge and "real life" experiences through forums allows to find solutions or workarounds for issues, for which Fortinet Support does not have answers for (or take them too-o-o-o-o long to respond).
OK, let's back to the issue itself now. Well, I agree in regards to Windows XP with you, ...generally. But if have few boxes loaded with this, or any other outdated OS, which perfectly serve the purpose they were put in place for, why would you waste your time and money (a new OS license comes at a cost, right?!) to make an upgrade for the "sake of upgrade"? In our case we have a few small (book-size) computers with Windows XP, which serve as a media players to drive big screens installed at different locations to present information about courses, and other opportunities provided by our company. Windows XP is listed as supported by FortiOS 5.2 (Deploying Wireless Networks, p. 80), and, in fact, it worked just fine before upgrading to maintenance release 5, build 701. But now it doesn't and I can't figure out why.
There is nothing wrong with user's account. BTW, windows XP uses not Chap but MS-CHAPv2 for authentication. When you use a diagnose command you are referring to, it shows a successful authentication. The thing though is - with this diag command you test authentication path between wireless controller on firewall and a RADIUS server - a client itself and FortiAP it is connecting to a WiFi network through, "remain out of the picture".
In regards to your second command script involving few diag commands - it doesn't work at all. ...until you add yet one more command before the last one:
diag debug app fnbamd -1
Something has changed inside FortiOS 5.2.5, which prevent Windows XP machines from being authenticated, since nothing else has changed in the authentication path involving the following components:
Mobile Client -> FortiAP -> Wireless Controller (FortiGate) -> RADIUS servers
I've opened the case with Fortinet Support. They asked me to run a diagnostic script - I did and submitted results to them. And now, a week later, I still do not have any response from them.
I've made some troubleshooting efforts which reinforced my thinking that Windows XP is "No-Go" for WPA2 Enterprise on FortiOS v.5.2.5:
[ul]Still no response from Fortinet on this. This is a holiday season - perhaps, that is why. Or, maybe, they are waiting for an expert member to post a solution or explanation here, so that they could "move the case forward" .
FWIW Windows XP does support WPA2-Ent but I wouldn't waste my time t-shooting it.
You need to ensure that your aware of EAP w/msChapv2 is enabled. If it was working b4 the FortiOS you probably need to dump the show full configuration and look at the details.
config user radius edit RADIUS01SRV set auth-type ms-chap_v2 set server 192.168.29.22 set secret mybada$$$secret end
config wireless-controller vap edit "MYWAP"
sec encrypt AES
set ssid GUESTNET01
set vdom GUESTVD01
set security
set security wpa-enterprise
set auth radius
set radius-server RADIUS01SRV next end
PCNSE
NSE
StrongSwan
Configuration is fine, authentication and everything else had been working flawlessly for years starting from FortiOS 4.3 and through all those builds, firmware releases, FortiGate/FortiWiFi units replacements (due to hardware failures or units upgrades) along the way until the last firmware upgrade to v.5.2.5.
In my view - this is something to do with internal changes to FortiOS rather than some "wrong doing" on my end. However, Fortinet support rep. eventually I got response from, has a different opinion:
I have been researching the issue and believe the root cause is related to Microsoft Security Advisory 3033929 (https://technet.microsoft...curity/3033929). FortiOS 5.2.5 uses a different default certificate than it did in version 5.2.3, which produces an issue on hosts that do not have the applicable SHA2 certificates update installed. Since updates such as this one are no longer back ported to Windows XP, the resolution will be to upgrade the host to at least Windows 7.
I tried FAP(5.2.3 and 5.2.5) against windows XP client. Client associated to FAP successfully with both version. Did not see connectivity issue after upgrade to 5.2.5. Here is my configurations on clients side:
1. create SSID profile under "Wireless Networks"
2. set "Network Authentication" to WPA2
3. set "Data encryption" to AES
4. then go to "Authentication"
5. select "EAP type" to "Protected EAP(PEAP)
6. click "Properties"
7. uncheck "Validate server certificate" box
8. go to "Select Authentication Method" and click "Configure"
9. uncheck "EAP MSCHAPv2 Properties"---->"Automatically use my Windows login name and password" box
10. click "OK" to save all changes
11. when client is trying to associate to AP, input user name and password manually.
THanks for posting
I was going to post the same. I personally don't believe the SHA2 certificate is the issue.
PCNSE
NSE
StrongSwan
Happy New Year folks!
The more we go with this conversation the more amusing it becomes. I've escalated the case to the next support level, and here is response from L2 TAC engineer:
As per this issue, as of 5.2.5 Windows XP is no longer supported due to compatibility reasons. The FortiGate has increased the security and is now using SHA256 certificates which is not supported under Windows XP. In short, Windows XP systems do not have SHA2 code signing support.
As Windows XP is no longer supported by Microsoft, we no longer include support for it within our devices/operating system. The resolution for this would be to upgrade the host system to Windows 7 or later.
This information can be located within the release notes for 5.2.5 REF PG 9 -> Built-In Certificate FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.
It seems to "explain" what is going on in my case. There are few reasons for me though NOT to accept such an explanation:
[ol]
OK, let's look at my particular configuration to see what might be the culprit of our post-upgrade XP-WiFi-connectivity issues. Here are relevant extracts:
config wireless-controller vap edit "TCET" set vdom "root" set ssid "TCET" set security wpa2-only-enterprise set radius-mac-auth enable set radius-mac-auth-server "TCET_RADIUS" set auth usergroup set usergroup "TCET_WLAN_Enterprise" next end
config user group edit "TCET_WLAN_Enterprise" set member "TCET_RADIUS" config match edit 1 set server-name "TCET_RADIUS" set group-name "TCET_WLAN_Enterprise" next end next end
config user radius edit "TCET_RADIUS" set server "10.0.0.12" set secret ENC XXX.............XXX set secondary-server "10.0.0.9" set secondary-secret ENC YYY..................YYY next end
Microsoft IAS and NPS serve as RADIUS servers in our case.
Any ideas what might be wrong with the configuration?
set auth usergroup set usergroup "TCET_WLAN_Enterprise"
Is there any reason you want the Fortigate Certificate instead of your radius server cert? I'd point directly to the radius server in your SSID setup so the Fortigate wouldn't be involved with certs at all
set radius-mac-auth enable set radius-mac-auth-server "TCET_RADIUS"
Fort troubleshooting I'd disable the mac authentication you have above.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.