I have SSID verification on fortigate firewall with Fortinac radius. I have a problem like this. Although there is mschapv2 in the radius settings, a user in the domain joins the network without any problems, while the user I created as a guest in the Fortinac interface Credentials Invalid (MSCHAP2) error, what is the reason for this?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
There have been some recent changes about this request and if you run the latest version of FNAC in 9.4 or 7.2 now it is possible.
The feature is disabled by default but it can be enabled from CLI running the following command:
> globaloptiontool -name "localRadiusServer.mschapV2LocalUserAuth" -set true
(In case of FNAC-F first run # execute enter)
This will add a control in the Add/Edit user view (Under Additional Details) that can be enabled for specific users: "RADIUS - Local Password Validation (MSCHAPv2)"
Hi rcpdkc,
have you performed the domain join and enabled winbind?
Winbind is needed in order to perform mschapv2 authentication.
Please double-check the steps in the guide and KB below
Regards
@Hatibi wrote:Hi rcpdkc,
have you performed the domain join and enabled winbind?
Winbind is needed in order to perform mschapv2 authentication.
Please double-check the steps in the guide and KB below
Regards
In fact, when you make the authentication type TTLS on android devices, fortinac local users are included in the network. However, I could not find how to use TTLS instead of mschap when connecting to a wpa2 network on the ios side.
Since MSCHAPv2 uses challenges instead of passwords, FNAC uses Winbind to check these challenges with Active directory. The guest accounts are local accounts in FNAC and there is no procedure in place to check these challenges for the local accounts. It is doable but because this is not a common use case it is not included in FNAC.
EAP-TTLS will use PAP (password) instead of challenges and that's explain why the authentication succeeds in this case.
Since you are manually creating this guest accounts (more like contractors) and you want to use PEAP, than the easiest way is to include these accounts in your AD and limit their privileges.
There have been some recent changes about this request and if you run the latest version of FNAC in 9.4 or 7.2 now it is possible.
The feature is disabled by default but it can be enabled from CLI running the following command:
> globaloptiontool -name "localRadiusServer.mschapV2LocalUserAuth" -set true
(In case of FNAC-F first run # execute enter)
This will add a control in the Add/Edit user view (Under Additional Details) that can be enabled for specific users: "RADIUS - Local Password Validation (MSCHAPv2)"
@rcpdkc , I deployed FNAC several times but honestly I never thought that any company may use WPA2 Enterprise for guests (probably companies that I know don't have this need).
In fact those companies usually have one SSID for Corp users with WPA2 Enterprise, and another SSID for guests: WPA2, followed by FNAC portal, or even not controlled by FNAC since usually they don't want consume license for guests. In fact by definition for me I don't think guests really need WPA2 Enterprise.
However now as I read your question I think this may exist and should exist. I'll advise if I find something about that.
Actually, what you say is true. It doesn't make sense to consume the licence in this way. Apart from Fortinac, how do you think I can verify? Is there any software or device you can recommend for user registration and login process?
How can I assign a guest user to quarantine when they join a wi-fi network and then to guest vlana when they authenticate on the fortinac portal
Regarding guest registration when you don't need to control it with FortiNAC, know that many WLC already has this feature embedded, like FortiGate, Aruba and so.
Regarding your second question, in case some BYOD device can access to Corp WiFi because he has AD credentials, here you can add an access policy to put such device in dead end because actually a BYOD host has nothing to do in Corp SSID. I think this makes sense, right?
That's how companies usually do.
Keep in mind before deploying NAC solution you need to stay with security manager and try build with him the access policies according with their requirements.
So where does it make sense to create guest users? Fortinac? Windows ad? Fortigate firewall?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1666 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.