Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nuGeorge
New Contributor

Created on ‎01-26-2021 05:26 PM

Radius with EAP not working

Hi guys

 

I'm trying to set up a WPA2 Enterprise SSID pointing to my FAC which is set up as a Radius Server. If I test my radius server from the FGT with some credentials it works successfully -- however, when I do it via the SSID it just keeps coming back with the login box. I only want to do user based authentication and not certificate based, so I've set up the Radius service policy Authentication Type: Password > Accept EAP > PEAP(ticked). This doesn't seem to be working and I'm getting the below debug error:

 

2021-01-27T12:16:39.336588+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: Found authclient from preloaded authclients list for 10.0.90.1: MSMC-900D (10.0.90.1) 2021-01-27T12:16:39.336594+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: authclient_id:1 auth_type:'password' 2021-01-27T12:16:39.337392+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: Found authpolicy 'Test2' for client '10.0.90.1' 2021-01-27T12:16:39.337601+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: NAK asked for bad type 0 2021-01-27T12:16:39.337612+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: ERROR: No mutually acceptable types found 2021-01-27T12:16:39.337615+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: Sending EAP Failure (code 4) ID 219 length 4 2021-01-27T12:16:39.337644+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: Failed in EAP select 2021-01-27T12:16:39.337654+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) [eap] = invalid 2021-01-27T12:16:39.337657+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) } # authenticate = invalid 2021-01-27T12:16:39.337661+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) Failed to authenticate the user 2021-01-27T12:16:39.337683+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) Using Post-Auth-Type Reject 2021-01-27T12:16:39.337693+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-01-27T12:16:39.337698+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) Post-Auth-Type REJECT { 2021-01-27T12:16:39.337750+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) facauth: Updated auth log 'test-user': 802.1x authentication failed 2021-01-27T12:16:39.337760+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) facauth: User-Name: test-user (from request) 2021-01-27T12:16:39.337768+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) [facauth] = ok 2021-01-27T12:16:39.337771+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) } # Post-Auth-Type REJECT = ok 2021-01-27T12:16:39.337775+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) Delaying response for 1.000000 seconds

5361
0 Kudos
1 REPLY 1
oheigl
Contributor II

Created on ‎02-02-2021 12:43 PM

It seems to be a mismatch between the EAP types you selected, either on the FAC or on the client. Can you share a screenshot of your SSID configuration and the policy (Test2)?

 

Maybe the client is sending an EAP-TLS request, and not a PEAP. Are you entering the credentials on the Client or do you use the windows credentials? Also have a look at the windows event log, in the wireless section.

3702
0 Kudos
Labels
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.