Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rcpdkc
Contributor II

Fortinac Mschap2 Connection

I have SSID verification on fortigate firewall with Fortinac radius. I have a problem like this. Although there is mschapv2 in the radius settings, a user in the domain joins the network without any problems, while the user I created as a guest in the Fortinac interface Credentials Invalid (MSCHAP2) error, what is the reason for this?

 

1.PNG2.PNG

1 Solution
ebilcari

There have been some recent changes about this request and if you run the latest version of FNAC in 9.4 or 7.2 now it is possible.

The feature is disabled by default but it can be enabled from CLI running the following command:

> globaloptiontool -name "localRadiusServer.mschapV2LocalUserAuth" -set true

(In case of FNAC-F first run # execute enter)

 

This will add a control in the Add/Edit user view (Under Additional Details) that can be enabled for specific users: "RADIUS - Local Password Validation (MSCHAPv2)"

mschaplocal.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

11 REPLIES 11
Sx11
Staff
Staff

Hi rcpdkc,

 

have you performed the domain join and enabled winbind?

Winbind is needed in order to perform mschapv2 authentication.

 

Please double-check the steps in the guide and KB below

https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/670285/local-winbind-configur...

https://community.fortinet.com/t5/FortiNAC/Technical-Tip-MSCHAPv2-authentication-join-FortiNAC-in-do...

 

Regards

sx11
rcpdkc
Contributor II


@Sx11 wrote:

Hi rcpdkc,

 

have you performed the domain join and enabled winbind?

Winbind is needed in order to perform mschapv2 authentication.

 

Please double-check the steps in the guide and KB below

https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/670285/local-winbind-configur...

https://community.fortinet.com/t5/FortiNAC/Technical-Tip-MSCHAPv2-authentication-join-FortiNAC-in-do...

 

Regards


In fact, when you make the authentication type TTLS on android devices, fortinac local users are included in the network. However, I could not find how to use TTLS instead of mschap when connecting to a wpa2 network on the ios side.

ebilcari

Since MSCHAPv2 uses challenges instead of passwords, FNAC uses Winbind to check these challenges with Active directory. The guest accounts are local accounts in FNAC and there is no procedure in place to check these challenges for the local accounts. It is doable but because this is not a common use case it is not included in FNAC.

EAP-TTLS will use PAP (password) instead of challenges and that's explain why the authentication succeeds in this case.

Since you are manually creating this guest accounts (more like contractors) and you want to use PEAP, than the easiest way is to include these accounts in your AD and limit their privileges.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
ebilcari

There have been some recent changes about this request and if you run the latest version of FNAC in 9.4 or 7.2 now it is possible.

The feature is disabled by default but it can be enabled from CLI running the following command:

> globaloptiontool -name "localRadiusServer.mschapV2LocalUserAuth" -set true

(In case of FNAC-F first run # execute enter)

 

This will add a control in the Add/Edit user view (Under Additional Details) that can be enabled for specific users: "RADIUS - Local Password Validation (MSCHAPv2)"

mschaplocal.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
AEK
Honored Contributor II

@rcpdkc , I deployed FNAC several times  but honestly I never thought that any company may use WPA2 Enterprise for guests (probably companies that I know don't have this need).

In fact those companies usually have one SSID for Corp users with WPA2 Enterprise,  and another SSID for guests: WPA2, followed by FNAC portal, or even not controlled by FNAC since usually they don't want consume license for guests. In fact by definition for me I don't think guests really need WPA2 Enterprise.

However now as I read your question I think this may exist and should exist. I'll advise if I find something about that.

AEK
AEK
rcpdkc
Contributor II

Actually, what you say is true. It doesn't make sense to consume the licence in this way. Apart from Fortinac, how do you think I can verify? Is there any software or device you can recommend for user registration and login process?

rcpdkc
Contributor II

How can I assign a guest user to quarantine when they join a wi-fi network and then to guest vlana when they authenticate on the fortinac portal

AEK
Honored Contributor II

Regarding guest registration when you don't need to control it with FortiNAC, know that many WLC already has this feature embedded, like FortiGate, Aruba and so.

Regarding your second question, in case some BYOD device can access to Corp WiFi because he has AD credentials, here you can add an access policy to put such device in dead end because actually a BYOD host has nothing to do in Corp SSID. I think this makes sense, right?

That's how companies usually do.

Keep in mind before deploying NAC solution you need to stay with security manager and try build with him the access policies according with their requirements.

AEK
AEK
rcpdkc
Contributor II

So where does it make sense to create guest users? Fortinac? Windows ad? Fortigate firewall?

Labels
Top Kudoed Authors