Hi guys
I'm trying to set up a WPA2 Enterprise SSID pointing to my FAC which is set up as a Radius Server. If I test my radius server from the FGT with some credentials it works successfully -- however, when I do it via the SSID it just keeps coming back with the login box. I only want to do user based authentication and not certificate based, so I've set up the Radius service policy Authentication Type: Password > Accept EAP > PEAP(ticked). This doesn't seem to be working and I'm getting the below debug error:
2021-01-27T12:16:39.336588+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: Found authclient from preloaded authclients list for 10.0.90.1: MSMC-900D (10.0.90.1) 2021-01-27T12:16:39.336594+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: authclient_id:1 auth_type:'password' 2021-01-27T12:16:39.337392+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: Found authpolicy 'Test2' for client '10.0.90.1' 2021-01-27T12:16:39.337601+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: NAK asked for bad type 0 2021-01-27T12:16:39.337612+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: ERROR: No mutually acceptable types found 2021-01-27T12:16:39.337615+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: Sending EAP Failure (code 4) ID 219 length 4 2021-01-27T12:16:39.337644+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: Failed in EAP select 2021-01-27T12:16:39.337654+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) [eap] = invalid 2021-01-27T12:16:39.337657+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) } # authenticate = invalid 2021-01-27T12:16:39.337661+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) Failed to authenticate the user 2021-01-27T12:16:39.337683+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) Using Post-Auth-Type Reject 2021-01-27T12:16:39.337693+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-01-27T12:16:39.337698+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) Post-Auth-Type REJECT { 2021-01-27T12:16:39.337750+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) facauth: Updated auth log 'test-user': 802.1x authentication failed 2021-01-27T12:16:39.337760+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) facauth: User-Name: test-user (from request) 2021-01-27T12:16:39.337768+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) [facauth] = ok 2021-01-27T12:16:39.337771+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) } # Post-Auth-Type REJECT = ok 2021-01-27T12:16:39.337775+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) Delaying response for 1.000000 seconds
It seems to be a mismatch between the EAP types you selected, either on the FAC or on the client. Can you share a screenshot of your SSID configuration and the policy (Test2)?
Maybe the client is sending an EAP-TLS request, and not a PEAP. Are you entering the credentials on the Client or do you use the windows credentials? Also have a look at the windows event log, in the wireless section.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.