Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eineltec
New Contributor

Created on ‎10-05-2022 01:53 AM

Having issues connecting radius server to AP

Hi.

I have FortiWifi 40F installed on my network, with a radius server for a wpa enterprise configuration.

I have installed an access point, configuring the radius server IP with the port and the secret.

Here comes the issues: when I'm trying to authenticate clients on AP, the server doesn't get any request, and the authentication fails.

I have been investigating, my server is on 192.168.100.0/24 and my access point is on 192.168.2.0/24, with the firewall policy accepting traffic between this two interfaces (ports 1 and 2 of the FortiWifi).

I have been trying connecting with another device from access point side to the server, and I have no problem with ping communication or remote access, but the radius request fails.

I have configured over FreeRadius the users and the client, pointing to the acces point IP.

And the final step: I tried with both devices on the same net (192.168.100.0/24) and surprise, everything works perfectly.

What's the matter? Configuring the wifi devices inside the DMZ is the best practise?

Maybe I would like to configure communication between 192.168.100.0/24 and 192.168.2.0/24 without filtering the requests, so the radius service can work like if both devices were in the same net.

Some suggests, can someone help me with this configuration?

Thanks in advance.

Labels:
2478
0 Kudos
7 REPLIES 7
AEK
SuperUser
SuperUser

Created on ‎10-05-2022 02:55 AM

Hi

Please share the following:

- Ping from AP to RADIUS

- Ping from RADIUS to AP

- Test authentication when opening all traffic in your FW policy from AP to RADIUS

- Sniff on your RADIUS traffic coming from AP and traffic going to AP

 

AEK
AEK
2468
0 Kudos
eineltec
New Contributor
In response to AEK

Created on ‎10-05-2022 03:15 AM

Hi

Ping from AP to RADIUS is impossible, doesn't support console commands, and connecting via SSH requests sudo permission which is not activated.

PING from RADIUS to AP is working without problems.

Test authentication locally works

eineltec_0-1664964334174.png

But with the firewall between AP and RADIUS doesn't get answer. I get this error message forcing response with the software NTRadping, with an AP request the server doesn't show any alert.

eineltec_1-1664964761058.png

This is what I think: the forti catches the AP request (192.168.2.1), and sends to my RADIUS server (192.168.100.100) but the server gets the request from the 192.168.100.200 (the IP interface of Fortigate in the 192.168.100.0/24) so it doesn't understand the client and rejects the request.

 

As I said, configuring the AP and the RADIUS in the same net (with 192.168.100.100 for RADIUS and 192.168.100.1 for AP) works without problems, the idea is to separate in different nets each device, but without this IP source change.

 

2467
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎10-05-2022 03:19 AM

Hi Eineltec

If I understand well I think you have NAT enabled on your firewall policy.

Try disable NAT on the policy and redo the test.

Otherwise in case you need NAT then you should authorize FGT IP .200 on your RADIUS.

AEK
AEK
2466
0 Kudos
eineltec
New Contributor
In response to AEK

Created on ‎10-05-2022 03:26 AM

Hi

With NAT enabled, I ping from RADIUS to AP succesfully.

Without NAT, ping doesn't get answer.

eineltec_0-1664965429225.png

How can I configure without NAT and communicate both devices? I guess the answer is near there.

 

My firewall rules:

eineltec_1-1664965501232.pngeineltec_2-1664965534486.png

My interfaces:

eineltec_3-1664965601388.png

 

2465
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎10-05-2022 03:30 AM

Then it is definitely a routing issue.

If you configure default GW on RADIUS and AP (FGT IP) then this should fix the issue.

AEK
AEK
2462
0 Kudos
eineltec
New Contributor
In response to AEK

Created on ‎10-05-2022 03:41 AM Edited on ‎10-05-2022 03:45 AM

Hi, can u guide me about how to configure this routing?

 

PD: I got a solution, configuring GW on the AP to the Forti IP interface, and indicating the client as the Forti IP interface.

But the ideal configuration would be to make this routing inside the Fortigate.

2460
0 Kudos
AEK
SuperUser
SuperUser
In response to eineltec

Created on ‎10-05-2022 05:01 AM

Hi

You have to configure routing on AP & server.

On AP it should be on the AP GUI.

On Linux you can do it in different ways, e.g.: via GUI with NetworkManager, or via CLI with ip route add, nmtui, nmcli, or editing files in /etc/sysconfig/network-scripts/

 

AEK
AEK
2435
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.