FortiOS v5.2.5: Windows XP cannot connect to WPA2 Enterprise WiFi
We have WiFi networks with WPA2 Enterprise security successfully working in our environment. After recent firmware upgrade from v.5.2.3 to v.5.2.5 on all our FortiGate and FortiWifi boxes, old computers with Windows XP on them cannot connect to the wireless networks any longer.
Although we do not have many Windows XP installations left - none of them cannot connect to WPA2 Enterprise wireless networks. There was no such a problem before the upgrade.
All our FortiAPs units (FAP 220B, 320C, 321C) have the latest (v5.2.4 build 0245) on them.
Now, could someone explain (or, perhaps, point to some document or KB article) how a certificate being used in the course of WPA2-Enterprise client connection negotiation, and why disabling certificate validation on the client side still doesn't "fix" WiFi connectivity issue (in case of XP)?
This will just accept certificates which are not signed by a know ceritificate authority.
But the certificate will still be used to create an encrypted channel to exchange the authentication information.
Vic, turns out the root cause of your issue is that the RC4 cipher was removed in 5.2.5
Whether Fortinet is going to fix it (I mean putting RC4 cipher back into next maintenance release) or not - that is not so critical now (at least for me ). What is important - that explains the issue. Thank you, Bromont.
BTW, I received a similar response from TAC:
Development has reproduced this issue and opened a bug for further investigation.
Bug ID 0306827,Windows XP client failed to associate to FAP with local user group and remote Radius server
If they don't have plans to support XP any longer though, then, to avoid confusion, they should reflect that fact on Release Notes, and remove examples of how set Windows XP for WPA-Enterprise WiFi network from WiFi documentation.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.