Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eineltec
New Contributor

Having issues connecting radius server to AP

Hi.

I have FortiWifi 40F installed on my network, with a radius server for a wpa enterprise configuration.

I have installed an access point, configuring the radius server IP with the port and the secret.

Here comes the issues: when I'm trying to authenticate clients on AP, the server doesn't get any request, and the authentication fails.

I have been investigating, my server is on 192.168.100.0/24 and my access point is on 192.168.2.0/24, with the firewall policy accepting traffic between this two interfaces (ports 1 and 2 of the FortiWifi).

I have been trying connecting with another device from access point side to the server, and I have no problem with ping communication or remote access, but the radius request fails.

I have configured over FreeRadius the users and the client, pointing to the acces point IP.

And the final step: I tried with both devices on the same net (192.168.100.0/24) and surprise, everything works perfectly.

What's the matter? Configuring the wifi devices inside the DMZ is the best practise?

Maybe I would like to configure communication between 192.168.100.0/24 and 192.168.2.0/24 without filtering the requests, so the radius service can work like if both devices were in the same net.

Some suggests, can someone help me with this configuration?

Thanks in advance.

7 REPLIES 7
AEK
Honored Contributor

Hi

Please share the following:

- Ping from AP to RADIUS

- Ping from RADIUS to AP

- Test authentication when opening all traffic in your FW policy from AP to RADIUS

- Sniff on your RADIUS traffic coming from AP and traffic going to AP

 

AEK
AEK
eineltec
New Contributor

Hi

Ping from AP to RADIUS is impossible, doesn't support console commands, and connecting via SSH requests sudo permission which is not activated.

PING from RADIUS to AP is working without problems.

Test authentication locally works

eineltec_0-1664964334174.png

But with the firewall between AP and RADIUS doesn't get answer. I get this error message forcing response with the software NTRadping, with an AP request the server doesn't show any alert.

eineltec_1-1664964761058.png

This is what I think: the forti catches the AP request (192.168.2.1), and sends to my RADIUS server (192.168.100.100) but the server gets the request from the 192.168.100.200 (the IP interface of Fortigate in the 192.168.100.0/24) so it doesn't understand the client and rejects the request.

 

As I said, configuring the AP and the RADIUS in the same net (with 192.168.100.100 for RADIUS and 192.168.100.1 for AP) works without problems, the idea is to separate in different nets each device, but without this IP source change.

 

AEK
Honored Contributor

Hi Eineltec

If I understand well I think you have NAT enabled on your firewall policy.

Try disable NAT on the policy and redo the test.

Otherwise in case you need NAT then you should authorize FGT IP .200 on your RADIUS.

AEK
AEK
eineltec
New Contributor

Hi

With NAT enabled, I ping from RADIUS to AP succesfully.

Without NAT, ping doesn't get answer.

eineltec_0-1664965429225.png

How can I configure without NAT and communicate both devices? I guess the answer is near there.

 

My firewall rules:

eineltec_1-1664965501232.pngeineltec_2-1664965534486.png

My interfaces:

eineltec_3-1664965601388.png

 

AEK
Honored Contributor

Then it is definitely a routing issue.

If you configure default GW on RADIUS and AP (FGT IP) then this should fix the issue.

AEK
AEK
eineltec
New Contributor

Hi, can u guide me about how to configure this routing?

 

PD: I got a solution, configuring GW on the AP to the Forti IP interface, and indicating the client as the Forti IP interface.

But the ideal configuration would be to make this routing inside the Fortigate.

AEK
Honored Contributor

Hi

You have to configure routing on AP & server.

On AP it should be on the AP GUI.

On Linux you can do it in different ways, e.g.: via GUI with NetworkManager, or via CLI with ip route add, nmtui, nmcli, or editing files in /etc/sysconfig/network-scripts/

 

AEK
AEK
Labels
Top Kudoed Authors