Hi,
I want to use the Fortiauthenticator for authenticate users from LDAP (remote users) with OTP and also use it for the WiFi username/password authentication.
When the user wants to authenticate via WiFi (FortiAP) i get an error on the Fortiauthenticator:
Remote LDAP user authentication(mschap) with no token failed: remote server supports pap only
According to the documentation the Windows Active Directory Domain Authentication should be enabled to authenticate users via Kerberos.
I tried to set up this in the lab but the Fortiauthenticator is not allowed to contact the Windows AD. The security logs shows Audit Failure:
Failure Reason: Unknown user name or bad password.
How to set up this scenario?
Shloud I create a Computer account for the Fortiauthenticator - if yes it should be member of domain controllers?
Can I use the administrator account or should I create another one with some special privileges?
The documentation is not clear for me.
Thank you for any help.
AtiT
"Can I use the administrator account or should I create another one with some special privileges?"
Best to use a "service account" - one just for your FAC. It can have privileges to add new machines to the domain, and this can be limited to a few machine adds to prevent overuse.
"Shloud I create a Computer account for the Fortiauthenticator"
The AD account you use to join the FAC to the domain should have these permissions, then that will be done automatically. Otherwise you will need to create a new machine object manually.
"if yes it should be member of domain controllers?"
Definitely not. FAC won't "push" any changes to your domain. It just needs the ability to query the domain hierarchy.
Tell me anybody what right that service accout need (exactly domain user or domain computer ?) ? In case I make object for computer manualy.
DID You get any solution we are facing the same issue.
we are getting that the CANT CONNECT TO NETWORK error in our wifi, proper configuration is done
any solution
AtiT wrote:Hi there... resurrecting an old thread, but it's the only reference I found. I got the same error - what is the solution for that? I've looked into LDAP config on the FAC and there's nothing related to PAP/MSCHAP (and TBH, this only rings a bell in relation to RADIUS config).When the user wants to authenticate via WiFi (FortiAP) i get an error on the Fortiauthenticator:
Remote LDAP user authentication(mschap) with no token failed: remote server supports pap only
Any help will be appreciated.
Thanks,
F.
User | Count |
---|---|
2675 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.