Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nuGeorge
New Contributor

Radius with EAP not working

Hi guys

 

I'm trying to set up a WPA2 Enterprise SSID pointing to my FAC which is set up as a Radius Server. If I test my radius server from the FGT with some credentials it works successfully -- however, when I do it via the SSID it just keeps coming back with the login box. I only want to do user based authentication and not certificate based, so I've set up the Radius service policy Authentication Type: Password > Accept EAP > PEAP(ticked). This doesn't seem to be working and I'm getting the below debug error:

 

2021-01-27T12:16:39.336588+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: Found authclient from preloaded authclients list for 10.0.90.1: MSMC-900D (10.0.90.1) 2021-01-27T12:16:39.336594+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: authclient_id:1 auth_type:'password' 2021-01-27T12:16:39.337392+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: Found authpolicy 'Test2' for client '10.0.90.1' 2021-01-27T12:16:39.337601+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: NAK asked for bad type 0 2021-01-27T12:16:39.337612+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: ERROR: No mutually acceptable types found 2021-01-27T12:16:39.337615+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: Sending EAP Failure (code 4) ID 219 length 4 2021-01-27T12:16:39.337644+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) eap: Failed in EAP select 2021-01-27T12:16:39.337654+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) [eap] = invalid 2021-01-27T12:16:39.337657+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) } # authenticate = invalid 2021-01-27T12:16:39.337661+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) Failed to authenticate the user 2021-01-27T12:16:39.337683+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) Using Post-Auth-Type Reject 2021-01-27T12:16:39.337693+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-01-27T12:16:39.337698+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) Post-Auth-Type REJECT { 2021-01-27T12:16:39.337750+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) facauth: Updated auth log 'test-user': 802.1x authentication failed 2021-01-27T12:16:39.337760+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) facauth: User-Name: test-user (from request) 2021-01-27T12:16:39.337768+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) [facauth] = ok 2021-01-27T12:16:39.337771+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) } # Post-Auth-Type REJECT = ok 2021-01-27T12:16:39.337775+11:00 MSMC-FortiAuthenticator radiusd[11673]: (59) Delaying response for 1.000000 seconds

1 REPLY 1
oheigl
Contributor II

It seems to be a mismatch between the EAP types you selected, either on the FAC or on the client. Can you share a screenshot of your SSID configuration and the policy (Test2)?

 

Maybe the client is sending an EAP-TLS request, and not a PEAP. Are you entering the credentials on the Client or do you use the windows credentials? Also have a look at the windows event log, in the wireless section.

Labels
Top Kudoed Authors