Hello,
I need to acheive the below scenario using Fortiauthenticator.
SSID with self registeration captive portal, user register their devices.
After device registeration, users should not login using their credentials, they should be automatically authorized by their MAC (previously registered)
To achevice them, I have configured the following:
1- SSID with MAC filtering and automatice vlan asignment.
2- radius policy on FAC for mac authorization.
3- authorized macs should be granted access to the network (succeeded)
4- unauthorized MACs : send access accept with the known three attributes to assign the host to a specific vlan (tunnel-type=vlan, tunnel-medium-type=ieee 802, tunnel-private-group-id=vlan-id (171)). This configured in the authentication policy which give the option to set "radius authentication response" to access accept for unauthorized MACs and to configure the attributes to be sent.
5- On Fortigate I have configured subinterface of the ssid (vlan-171), with extenral captive portal directed to FAC.
in the self registration portal, i enabled device tracking so that users can register their devices. I have configured to place the registered devices in a user gourp (which is used as authorized group in the authentication policy)(
Results:
when a user is connected for the first time nothing happens, I see from packet capture that radius requests is sent to FAC, in FAC debugs I see that the mac is unathorized, but the access accept is not sent as I need.
Another approach:
configure the ssid with external captive portal.
the portal has self registeration enabled.
in the portal policy i select mac authorization.
results:
authorized macs are successfully logined to the network.
unauthorized mac are presented a replacement message that their mac is not authorized, but not presented the option to go to the self registration page. :(
Solved! Go to Solution.
So the link I provided outlines how to provide Guest access exactly as you are doing. However it does not rely on MAB (insecure) and allows you to set an indefinite timeout so users are not presented a login page after initial registration. It also doesn't require complex config on the Fortigate with subinterfaces and dynamic VLAN assignment, etc.
To answer your question possibly the issue is that the SSID does not use WPA2-Enterprise which fully supports RADIUS CoA. With Open auth, client receives an IP and authenticates to the network after RADIUS attributes can be passed. There is no way to automatically disconnect the endpoint in this way. I'm not an expert so someone may correct me, but I'm fairly certain with FortiAuthenticator and captive portal you cannot do dynamic VLAN assignment. Please review the above doc for a better way to do Guest Wi-Fi and slef-service registration.
Can you post screen shots of your SSID config and your Portal and Portal Policy configs?
Why do you have captive portal configured on VLAN 171? Isn't this the VLAN assigned to unauthorized MACs that have already passed through a portal?
Also have you considered going about this a different way? MAC authentication is not secure especially in an open network with no encryption. Can you not just authenticate users using 802.1x and EAP-TLS or some other secure protocol? https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/324669/assigning-wifi-users-to-...
There's also Smart Connect profiles which might suit you: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/771048/wifi-onboarding-using-fo...
Hello Graham,
Please find the answers below:
Why do you have captive portal configured on VLAN 171? Isn't this the VLAN assigned to unauthorized MACs that have already passed through a portal?
I need unauthorized macs to fall to vlan 171 to be able to register their devices using self registration portal . upon registration they should be placed in group (myd_group), this is the authorized group in my authentication policy , so that next time the same registered device associate to the SSID it should be granted access.
I dont want to use dot1x as this scenario is intended for guest users.
Please find attached the screenshots.
Notes:
the ssid interface name is "fortip (portal)", with security mode set to open with mac filtering.
the sub interface 171 security mode is set to captive portal.
Created on 11-21-2022 09:40 AM Edited on 11-21-2022 09:40 AM
It sounds like you are over-complicating matters here. Would the following configuration work for your specific use-case? It allows guests to register and connect to the network but avoids the complexity of MAB and sub-interfaces and multiple steps.
I never wanted to over complicate things, it is a buisness requirment. I was requested that users should not be presendted login page after they registered their devices. So, we are talking about a use case here.
Any clue why the RADIUs accept message and RADIUS attributes are not sent back to the unauthorized MACs?
So the link I provided outlines how to provide Guest access exactly as you are doing. However it does not rely on MAB (insecure) and allows you to set an indefinite timeout so users are not presented a login page after initial registration. It also doesn't require complex config on the Fortigate with subinterfaces and dynamic VLAN assignment, etc.
To answer your question possibly the issue is that the SSID does not use WPA2-Enterprise which fully supports RADIUS CoA. With Open auth, client receives an IP and authenticates to the network after RADIUS attributes can be passed. There is no way to automatically disconnect the endpoint in this way. I'm not an expert so someone may correct me, but I'm fairly certain with FortiAuthenticator and captive portal you cannot do dynamic VLAN assignment. Please review the above doc for a better way to do Guest Wi-Fi and slef-service registration.
Hi Graham,
I agree with you about the CoA. However, I am not hoping for any CoA at this point.
I just need to see the access accept packet being returned to Fortigate upon unAuthrized MACs. Please take into consieration that when I manually added on MAC to the authorized group, the access accept packet was successfully sent to Fortigate with the three attribute and the client successfully moved to the reuired subinterface.
However, for unauthrized MAC, I noted that FAC does not return any thing (not an access accept nor an access reject). No response at all.
If we just ignored the fact that I need this for guest access, but it liked the feature that you can send a crafted access response to unauthorized mac, this would be useful in other scenarios as well. But why is it not working?
It's hard to say why it's not working. My instinct tells me it's just not something we can do with captive portal, dynamic VLAN assignment, and MAB. As mentioned already there are better ways of doing what you want to do. But if you really want to figure out this way you can post your FAC debugs and see what we see...
1- successful attempt (after manually adding the mac to group)
2022-11-24T18:00:23.180140+02:00 FortiAuthenticator radiusd[29573]: Waking up in 0.6 seconds.
2022-11-24T18:00:23.180314+02:00 FortiAuthenticator radiusd[29573]: (0) Received Access-Request Id 21 from 192.168.8.113:5160 to 192.168.200.5:1812 length 217
2022-11-24T18:00:23.180337+02:00 FortiAuthenticator radiusd[29573]: (0) User-Name = "F8-94-C2-0D-84-FF"
2022-11-24T18:00:23.180345+02:00 FortiAuthenticator radiusd[29573]: (0) User-Password: ******
2022-11-24T18:00:23.180354+02:00 FortiAuthenticator radiusd[29573]: (0) Calling-Station-Id = "F8-94-C2-0D-84-FF"
2022-11-24T18:00:23.180362+02:00 FortiAuthenticator radiusd[29573]: (0) NAS-IP-Address = 0.0.0.0
2022-11-24T18:00:23.180370+02:00 FortiAuthenticator radiusd[29573]: (0) NAS-Identifier = "172.16.21.2/5246-portal"
2022-11-24T18:00:23.180379+02:00 FortiAuthenticator radiusd[29573]: (0) Called-Station-Id = "E8-1C-BA-61-92-10:fortip"
2022-11-24T18:00:23.180390+02:00 FortiAuthenticator radiusd[29573]: (0) NAS-Port-Type = Wireless-802.11
2022-11-24T18:00:23.180399+02:00 FortiAuthenticator radiusd[29573]: (0) Service-Type = Call-Check
2022-11-24T18:00:23.180406+02:00 FortiAuthenticator radiusd[29573]: (0) Fortinet-SSID = "fortip"
2022-11-24T18:00:23.180592+02:00 FortiAuthenticator radiusd[29573]: (0) Fortinet-AP-Name = "FP221E5518099R2D"
2022-11-24T18:00:23.180610+02:00 FortiAuthenticator radiusd[29573]: (0) Message-Authenticator = 0x4b51504120eaf9fdb569f9733661014a
2022-11-24T18:00:23.180627+02:00 FortiAuthenticator radiusd[29573]: (0) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2022-11-24T18:00:23.180702+02:00 FortiAuthenticator radiusd[29573]: (0) facauth: ===>NAS IP:192.168.8.113
2022-11-24T18:00:23.180715+02:00 FortiAuthenticator radiusd[29573]: (0) facauth: ===>Username:F8-94-C2-0D-84-FF
2022-11-24T18:00:23.180729+02:00 FortiAuthenticator radiusd[29573]: (0) facauth: ===>Timestamp:1669305623.180721, age:0ms
2022-11-24T18:00:23.182137+02:00 FortiAuthenticator radiusd[29573]: (0) facauth: Found authclient from preloaded authclients list for 192.168.8.113: office (192.168.8.113)
2022-11-24T18:00:23.185131+02:00 FortiAuthenticator radiusd[29573]: (0) facauth: Found authpolicy 'mac auth' for client '192.168.8.113'
2022-11-24T18:00:23.186945+02:00 FortiAuthenticator radiusd[29573]: (0) facauth: Setting 'Auth-Type := CSID'
2022-11-24T18:00:23.186974+02:00 FortiAuthenticator radiusd[29573]: Not doing PAP as Auth-Type is already set.
2022-11-24T18:00:23.186996+02:00 FortiAuthenticator radiusd[29573]: (0) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-11-24T18:00:23.188699+02:00 FortiAuthenticator radiusd[29573]: (0) facauth: Unauthorized MAC: MAC address not filtered by NAS: 'f894c20d84ff'
2022-11-24T18:00:23.851306+02:00 FortiAuthenticator radiusd[29573]: Waking up in 0.9 seconds.
2022-11-24T18:00:24.855276+02:00 FortiAuthenticator radiusd[29573]: Waking up in 1.4 seconds.
2022-11-24T18:00:25.244775+02:00 FortiAuthenticator radiusd[29573]: Waking up in 0.6 seconds.
2022-11-24T18:00:25.244880+02:00 FortiAuthenticator radiusd[29573]: (1) Received Access-Request Id 22 from 192.168.8.113:5160 to 192.168.200.5:1812 length 217
2022-11-24T18:00:25.244892+02:00 FortiAuthenticator radiusd[29573]: (1) User-Name = "F8-94-C2-0D-84-FF"
2022-11-24T18:00:25.244899+02:00 FortiAuthenticator radiusd[29573]: (1) User-Password: ******
2022-11-24T18:00:25.244907+02:00 FortiAuthenticator radiusd[29573]: (1) Calling-Station-Id = "F8-94-C2-0D-84-FF"
2022-11-24T18:00:25.244919+02:00 FortiAuthenticator radiusd[29573]: (1) NAS-IP-Address = 0.0.0.0
2022-11-24T18:00:25.244927+02:00 FortiAuthenticator radiusd[29573]: (1) NAS-Identifier = "172.16.21.2/5246-portal"
2022-11-24T18:00:25.244935+02:00 FortiAuthenticator radiusd[29573]: (1) Called-Station-Id = "E8-1C-BA-61-92-10:fortip"
2022-11-24T18:00:25.244944+02:00 FortiAuthenticator radiusd[29573]: (1) NAS-Port-Type = Wireless-802.11
2022-11-24T18:00:25.244952+02:00 FortiAuthenticator radiusd[29573]: (1) Service-Type = Call-Check
2022-11-24T18:00:25.244959+02:00 FortiAuthenticator radiusd[29573]: (1) Fortinet-SSID = "fortip"
2022-11-24T18:00:25.245111+02:00 FortiAuthenticator radiusd[29573]: (1) Fortinet-AP-Name = "FP221E5518099R2D"
2022-11-24T18:00:25.245126+02:00 FortiAuthenticator radiusd[29573]: (1) Message-Authenticator = 0x9f40bf8461ba28a421c8d4edb3ac195a
2022-11-24T18:00:25.245139+02:00 FortiAuthenticator radiusd[29573]: (1) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2022-11-24T18:00:25.245197+02:00 FortiAuthenticator radiusd[29573]: (1) facauth: ===>NAS IP:192.168.8.113
2022-11-24T18:00:25.245209+02:00 FortiAuthenticator radiusd[29573]: (1) facauth: ===>Username:F8-94-C2-0D-84-FF
2022-11-24T18:00:25.245220+02:00 FortiAuthenticator radiusd[29573]: (1) facauth: ===>Timestamp:1669305625.244623, age:0ms
2022-11-24T18:00:27.154390+02:00 FortiAuthenticator radiusd[29846]: Debugger not attached
2022-11-24T18:00:27.158298+02:00 FortiAuthenticator radiusd[29846]: Creating attribute Unix-Group
2022-11-24T18:00:27.159128+02:00 FortiAuthenticator radiusd[29846]: rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
2022-11-24T18:00:27.164874+02:00 FortiAuthenticator radiusd[29846]: Created config database connection pool
2022-11-24T18:00:27.167134+02:00 FortiAuthenticator radiusd[29846]: Created logging database connection pool
2022-11-24T18:00:27.167879+02:00 FortiAuthenticator radiusd[29846]: Loaded NAS: fortinac (192.168.200.7), subnet: 0.0.0.0/32, range: 192.168.200.7~192.168.200.7 (1 IPs)
2022-11-24T18:00:27.167887+02:00 FortiAuthenticator radiusd[29846]: Loaded NAS: office (192.168.8.113), subnet: 0.0.0.0/32, range: 192.168.8.113~192.168.8.113 (1 IPs)
2022-11-24T18:00:27.174873+02:00 FortiAuthenticator radiusd[29846]: RADIUS server running in full edition.
2022-11-24T18:00:27.182518+02:00 FortiAuthenticator radiusd[29846]: tls: Using cached TLS configuration from previous invocation
2022-11-24T18:00:27.182615+02:00 FortiAuthenticator radiusd[29846]: tls: Using cached TLS configuration from previous invocation
2022-11-24T18:00:27.182706+02:00 FortiAuthenticator radiusd[29846]: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
2022-11-24T18:00:27.182808+02:00 FortiAuthenticator radiusd[29846]: rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
2022-11-24T18:00:27.183103+02:00 FortiAuthenticator radiusd[29846]: # Skipping contents of 'if' as it is always 'false' -- /usr/etc/raddb/sites-enabled/inner-tunnel:353
2022-11-24T18:00:27.203596+02:00 FortiAuthenticator radiusd[29846]: radiusd: #### Opening IP addresses and Ports ####
2022-11-24T18:00:27.205799+02:00 FortiAuthenticator radiusd[29846]: Listening on auth proto tcp address * port 2083 (TLS) bound to server default
2022-11-24T18:00:27.205831+02:00 FortiAuthenticator radiusd[29846]: Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
2022-11-24T18:00:27.205845+02:00 FortiAuthenticator radiusd[29846]: Listening on auth address * port 1812 bound to server default
2022-11-24T18:00:27.205867+02:00 FortiAuthenticator radiusd[29846]: Ready to process requests
2022-11-24T18:00:29.219445+02:00 FortiAuthenticator radiusd[29846]: Waking up in 0.6 seconds.
2022-11-24T18:00:29.219600+02:00 FortiAuthenticator radiusd[29846]: (0) Received Access-Request Id 22 from 192.168.8.113:9852 to 192.168.200.5:1812 length 217
2022-11-24T18:00:29.219620+02:00 FortiAuthenticator radiusd[29846]: (0) User-Name = "F8-94-C2-0D-84-FF"
2022-11-24T18:00:29.219629+02:00 FortiAuthenticator radiusd[29846]: (0) User-Password: ******
2022-11-24T18:00:29.219638+02:00 FortiAuthenticator radiusd[29846]: (0) Calling-Station-Id = "F8-94-C2-0D-84-FF"
2022-11-24T18:00:29.219646+02:00 FortiAuthenticator radiusd[29846]: (0) NAS-IP-Address = 0.0.0.0
2022-11-24T18:00:29.219654+02:00 FortiAuthenticator radiusd[29846]: (0) NAS-Identifier = "172.16.21.2/5246-portal"
2022-11-24T18:00:29.219662+02:00 FortiAuthenticator radiusd[29846]: (0) Called-Station-Id = "E8-1C-BA-61-92-10:fortip"
2022-11-24T18:00:29.219672+02:00 FortiAuthenticator radiusd[29846]: (0) NAS-Port-Type = Wireless-802.11
2022-11-24T18:00:29.219680+02:00 FortiAuthenticator radiusd[29846]: (0) Service-Type = Call-Check
2022-11-24T18:00:29.219687+02:00 FortiAuthenticator radiusd[29846]: (0) Fortinet-SSID = "fortip"
2022-11-24T18:00:29.219851+02:00 FortiAuthenticator radiusd[29846]: (0) Fortinet-AP-Name = "FP221E5518099R2D"
2022-11-24T18:00:29.219867+02:00 FortiAuthenticator radiusd[29846]: (0) Message-Authenticator = 0x9f40bf8461ba28a421c8d4edb3ac195a
2022-11-24T18:00:29.219882+02:00 FortiAuthenticator radiusd[29846]: (0) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2022-11-24T18:00:29.219946+02:00 FortiAuthenticator radiusd[29846]: (0) facauth: ===>NAS IP:192.168.8.113
2022-11-24T18:00:29.219958+02:00 FortiAuthenticator radiusd[29846]: (0) facauth: ===>Username:F8-94-C2-0D-84-FF
2022-11-24T18:00:29.219973+02:00 FortiAuthenticator radiusd[29846]: (0) facauth: ===>Timestamp:1669305629.219964, age:0ms
2022-11-24T18:00:29.221254+02:00 FortiAuthenticator radiusd[29846]: (0) facauth: Found authclient from preloaded authclients list for 192.168.8.113: office (192.168.8.113)
2022-11-24T18:00:29.224079+02:00 FortiAuthenticator radiusd[29846]: (0) facauth: Found authpolicy 'mac auth' for client '192.168.8.113'
2022-11-24T18:00:29.225862+02:00 FortiAuthenticator radiusd[29846]: (0) facauth: Setting 'Auth-Type := CSID'
2022-11-24T18:00:29.225887+02:00 FortiAuthenticator radiusd[29846]: Not doing PAP as Auth-Type is already set.
2022-11-24T18:00:29.225907+02:00 FortiAuthenticator radiusd[29846]: (0) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-11-24T18:00:29.227511+02:00 FortiAuthenticator radiusd[29846]: (0) facauth: Unauthorized MAC: MAC address not filtered by NAS: 'f894c20d84ff'
2022-11-24T18:00:29.887317+02:00 FortiAuthenticator radiusd[29846]: Waking up in 0.9 seconds.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.