Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AtiT
Valued Contributor

Fortiauthenticator settings for Windows Active Directory Domain Authentication

Hi,

I want to use the Fortiauthenticator for authenticate users from LDAP (remote users) with OTP and also use it for the WiFi username/password authentication.

When the user wants to authenticate via WiFi (FortiAP) i get an error on the Fortiauthenticator:

Remote LDAP user authentication(mschap) with no token failed: remote server supports pap only

 

According to the documentation the Windows Active Directory Domain Authentication should be enabled to authenticate users via Kerberos.

I tried to set up this in the lab but the Fortiauthenticator is not allowed to contact the Windows AD. The security logs shows Audit Failure:

Failure Reason: Unknown user name or bad password.

 

How to set up this scenario?

Shloud I create a Computer account for the Fortiauthenticator - if yes it should be member of domain controllers?

Can I use the administrator account or should I create another one with some special privileges?

 

The documentation is not clear for me.

Thank you for any help.

AtiT

AtiT
4 REPLIES 4
ergotherego
Contributor II

"Can I use the administrator account or should I create another one with some special privileges?"

 

Best to use a "service account" - one just for your FAC. It can have privileges to add new machines to the domain, and this can be limited to a few machine adds to prevent overuse.

 

"Shloud I create a Computer account for the Fortiauthenticator"

 

The AD account you use to join the FAC to the domain should have these permissions, then that will be done automatically. Otherwise you will need to create a new machine object manually.

 

"if yes it should be member of domain controllers?"

 

Definitely not. FAC won't "push" any changes to your domain. It just needs the ability to query the domain hierarchy.

TKucera

Tell me anybody what right that service accout need (exactly domain user or domain computer ?) ? In case I make object for computer manualy.

sandytechie
New Contributor

DID You get any solution we are facing the same issue.

 

we are getting that the CANT CONNECT TO NETWORK error in our wifi, proper configuration is done 

 

any solution

FlavioB
New Contributor III

AtiT wrote:

When the user wants to authenticate via WiFi (FortiAP) i get an error on the Fortiauthenticator:

Remote LDAP user authentication(mschap) with no token failed: remote server supports pap only

Hi there... resurrecting an old thread, but it's the only reference I found. I got the same error - what is the solution for that? I've looked into LDAP config on the FAC and there's nothing related to PAP/MSCHAP (and TBH, this only rings a bell in relation to RADIUS config).

 

Any help will be appreciated.

Thanks,

F.

Top Kudoed Authors