WPA2-Enterprise LDAP Authentication

Kess · ‎11-03-2012

Hi guys, as the title says, I cannot authenticate devices using WPA2-Enterprise on my fortigate (running in conjunction with FortiAP). I tried my LDAP settings and they are working fine. I can use the LDAP server in order to authenticate my users using SSLVPN and also Admin login to the device. The only non working thing is WiFi. Do you have some kind of suggestions ? There' s the code:

fnbamd_fsm.c[1274] handle_req-Rcvd auth req 4718627 for kess in dc.test.local opt=0 prot=4 
 fnbamd_radius.c[922] fnbamd_radius_auth_send-Sent radius req to 192.168.0.2: code=1 id=42 len=166 user=" kess"  using MS-CHAPv2 
 fnbamd_auth.c[582] auth_tac_plus_start-Didn' t find tac_plus servers (0) 
 fnbamd_ldap.c[637] resolve_ldap_FQDN-Resolved address 192.168.0.1, result 192.168.0.1 
 fnbamd_ldap_digest.c[43] start_query_password-base:' OU=users,DC=test,DC=local'  filter:sAMAccountName=kess 
 fnbamd_ldap_digest.c[271] fnbamd_ldap_get_pwd_lookup_result-Going to SEARCH state 
 fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 4718627 
 fnbamd_ldap_digest.c[306] fnbamd_ldap_get_pwd_lookup_result-Password retrieval failed 
 fnbamd_auth.c[2065] fnbamd_auth_poll_ldap-Result for ldap svr 192.168.0.1 is denied 
 fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 4718627 
 fnbamd_ldap_digest.c[210] fnbamd_ldap_get_pwd_lookup_result-Invalid params 
 fnbamd_ldap_digest.c[292] fnbamd_ldap_get_pwd_lookup_result-Going to DONE state res=5 
 fnbamd_auth.c[2057] fnbamd_auth_poll_ldap-Result for ldap svr 192.168.0.1 is ERROR 
 fnbamd_ldap.c[1149] fnbamd_ldap_stop-Invalid params 
 fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 4718627 
 fnbamd_ldap_digest.c[210] fnbamd_ldap_get_pwd_lookup_result-Invalid params 
 fnbamd_ldap_digest.c[292] fnbamd_ldap_get_pwd_lookup_result-Going to DONE state res=5 
 fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 4718627 
 fnbamd_ldap_digest.c[210] fnbamd_ldap_get_pwd_lookup_result-Invalid params 
 fnbamd_ldap_digest.c[292] fnbamd_ldap_get_pwd_lookup_result-Going to DONE state res=5 
 fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 4718627 
 fnbamd_ldap_digest.c[210] fnbamd_ldap_get_pwd_lookup_result-Invalid params 
 fnbamd_ldap_digest.c[292] fnbamd_ldap_get_pwd_lookup_result-Going to DONE state res=5 
 fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 4718627 
 fnbamd_ldap_digest.c[210] fnbamd_ldap_get_pwd_lookup_result-Invalid params 
 fnbamd_ldap_digest.c[292] fnbamd_ldap_get_pwd_lookup_result-Going to DONE state res=5 
 fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 4718627 
 fnbamd_ldap_digest.c[210] fnbamd_ldap_get_pwd_lookup_result-Invalid params 
 fnbamd_ldap_digest.c[292] fnbamd_ldap_get_pwd_lookup_result-Going to DONE state res=5 
 fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 4718627 
 fnbamd_ldap_digest.c[210] fnbamd_ldap_get_pwd_lookup_result-Invalid params 
 fnbamd_ldap_digest.c[292] fnbamd_ldap_get_pwd_lookup_result-Going to DONE state res=5 
 fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 4718627 
 fnbamd_ldap_digest.c[210] fnbamd_ldap_get_pwd_lookup_result-Invalid params 
 fnbamd_ldap_digest.c[292] fnbamd_ldap_get_pwd_lookup_result-Going to DONE state res=5 
 fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 4718627 
 fnbamd_auth.c[1902] fnbamd_auth_handle_radius_result-->Result for radius svr 192.168.0.2(0) is 1 
 fnbamd_comm.c[116] fnbamd_comm_send_result-Sending result 1 for req 47186

Do you have ideas ? Thx, bye Kess.

Kess · ‎12-22-2012

Just for you to know, WPA-Enterprise Authentication is not possible against a LDAP Active Directory query. There is an article explaining the reasons here: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33251&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=41242937&stateId=0%200%2041244958 Btw, i managed to perform that by using a Radius Server to gain access using Active Directory Services. If you are interested in doing that, just install a Network Policy Server on a Windows Server 2008r2 or a Windows Server 2012 (the one I use) and configure your Radius access. Hope it helps. Bye Kess.