Hi.
I have FortiWifi 40F installed on my network, with a radius server for a wpa enterprise configuration.
I have installed an access point, configuring the radius server IP with the port and the secret.
Here comes the issues: when I'm trying to authenticate clients on AP, the server doesn't get any request, and the authentication fails.
I have been investigating, my server is on 192.168.100.0/24 and my access point is on 192.168.2.0/24, with the firewall policy accepting traffic between this two interfaces (ports 1 and 2 of the FortiWifi).
I have been trying connecting with another device from access point side to the server, and I have no problem with ping communication or remote access, but the radius request fails.
I have configured over FreeRadius the users and the client, pointing to the acces point IP.
And the final step: I tried with both devices on the same net (192.168.100.0/24) and surprise, everything works perfectly.
What's the matter? Configuring the wifi devices inside the DMZ is the best practise?
Maybe I would like to configure communication between 192.168.100.0/24 and 192.168.2.0/24 without filtering the requests, so the radius service can work like if both devices were in the same net.
Some suggests, can someone help me with this configuration?
Thanks in advance.
Hi
Please share the following:
- Ping from AP to RADIUS
- Ping from RADIUS to AP
- Test authentication when opening all traffic in your FW policy from AP to RADIUS
- Sniff on your RADIUS traffic coming from AP and traffic going to AP
Hi
Ping from AP to RADIUS is impossible, doesn't support console commands, and connecting via SSH requests sudo permission which is not activated.
PING from RADIUS to AP is working without problems.
Test authentication locally works
But with the firewall between AP and RADIUS doesn't get answer. I get this error message forcing response with the software NTRadping, with an AP request the server doesn't show any alert.
This is what I think: the forti catches the AP request (192.168.2.1), and sends to my RADIUS server (192.168.100.100) but the server gets the request from the 192.168.100.200 (the IP interface of Fortigate in the 192.168.100.0/24) so it doesn't understand the client and rejects the request.
As I said, configuring the AP and the RADIUS in the same net (with 192.168.100.100 for RADIUS and 192.168.100.1 for AP) works without problems, the idea is to separate in different nets each device, but without this IP source change.
Hi Eineltec
If I understand well I think you have NAT enabled on your firewall policy.
Try disable NAT on the policy and redo the test.
Otherwise in case you need NAT then you should authorize FGT IP .200 on your RADIUS.
Hi
With NAT enabled, I ping from RADIUS to AP succesfully.
Without NAT, ping doesn't get answer.
How can I configure without NAT and communicate both devices? I guess the answer is near there.
My firewall rules:
My interfaces:
Then it is definitely a routing issue.
If you configure default GW on RADIUS and AP (FGT IP) then this should fix the issue.
Created on 10-05-2022 03:41 AM Edited on 10-05-2022 03:45 AM
Hi, can u guide me about how to configure this routing?
PD: I got a solution, configuring GW on the AP to the Forti IP interface, and indicating the client as the Forti IP interface.
But the ideal configuration would be to make this routing inside the Fortigate.
Hi
You have to configure routing on AP & server.
On AP it should be on the AP GUI.
On Linux you can do it in different ways, e.g.: via GUI with NetworkManager, or via CLI with ip route add, nmtui, nmcli, or editing files in /etc/sysconfig/network-scripts/
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.