If the Peer-ID/Password pair received in a Authenticate-Request is not recognizable or acceptable, then the authenticator MUST transmit a PAP packet with the Code field set to 3 (Authenticate- Nak), and SHOULD take action to terminate the link.
So, I know that, in some way, the Forti is sending wrong credentials to my ISP. Because I change the patchcord to the TP-Link and it connects in a few seconds. And the TP-Link didn't need any special setting. Out-of-the-box, just user and password.
Questions: what can I do to see what the Fortigate is sending to the ISP? If it is or not sending the password. And, if it is sending the password, how is it sending it.
And, of course, what can I do to make it work?
This is the config of my wan interface. I changed the MTU to 1480 because, out-of-the-box, the TP-Link uses that value and it works fine:
FortiGate-60E (wan2) # show full-configurationconfig system interface edit "wan2" set vdom "root" set vrf 0 set fortilink disable set mode pppoe set distance 5 set priority 0 set dhcp-relay-service disable set allowaccess ping fgfm set fail-detect disable set arpforward enable set broadcast-forward disable set bfd global set l2forward disable set icmp-send-redirect enable set icmp-accept-redirect enable set vlanforward disable set stpforward disable set ips-sniffer-mode disable set ident-accept disable set ipmac disable set subst disable set substitute-dst-mac 00:00:00:00:00:00 set status up set netbios-forward disable set wins-ip 0.0.0.0 set type physical set netflow-sampler disable set sflow-sampler disable set src-check enable set sample-rate 2000 set polling-interval 20 set sample-direction both set explicit-web-proxy disable set explicit-ftp-proxy disable set proxy-captive-portal disable set tcp-mss 0 set inbandwidth 0 set outbandwidth 0 set egress-shaping-profile '' set ingress-shaping-profile '' set disconnect-threshold 0 set weight 0 set external disable set description '' set alias '' set l2tp-client disable set security-mode none set device-identification disable set lldp-reception vdom set lldp-transmission vdom set estimated-upstream-bandwidth 0 set estimated-downstream-bandwidth 0 set measured-upstream-bandwidth 0 set measured-downstream-bandwidth 0 set bandwidth-measure-time 0 set monitor-bandwidth disable set vrrp-virtual-mac disable set role wan set snmp-index 2 set preserve-session-route disable set auto-auth-extension-device disable set ap-discover enable set switch-controller-mgmt-vlan 4094 set switch-controller-igmp-snooping-proxy disable set switch-controller-igmp-snooping-fast-leave disable config ipv6 set ip6-mode static set nd-mode basic set ip6-address ::/0 unset ip6-allowaccess set ip6-reachable-time 0 set ip6-retrans-time 0 set ip6-hop-limit 0 set dhcp6-prefix-delegation disable set dhcp6-information-request disable set vrrp-virtual-mac6 disable set vrip6_link_local :: set ip6-send-adv disable set autoconf disable set dhcp6-relay-service disable end set ipunnumbered 0.0.0.0 set username "*MyUser*" set password ENC *password* set idle-timeout 0 set disc-retry-timeout 1 set padt-retry-timeout 1 set service-name '' set ac-name '' set lcp-echo-interval 5 set lcp-max-echo-fails 3 set defaultgw enable set dns-server-override enable set auth-type auto set speed auto set mtu-override enable set mtu 1480 set wccp disable set drop-overlapped-fragment disable set drop-fragment disable nextend
Well... definitely there must be something wrong with Fortigates and the way the try to connect using PPPoE.
I use plural because I tested with a Fortigate 200D and it behaves the same. It fails every time just like the FGT 60e.
I don't know what it is. But cheap TP-Link's can connect with PPPoE out of the box just entering username and password. And two Fortigates can't connect. Authentication fail once and again.
The FGT 60e is running version 6.4.5.
The FGT 200d is running 6.0.9 (the last version that supports that hardware).
Again, any help or clue wil be welcome.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.