I am trying to get our WiFi to authenticate using Windows NPS. I had a running RADIUS server with Cisco ACS but the device is EoL and the certificate expired. All WiFi worked fine before moving to NPS. I am running a FortiGate 1500D (5.2.3) that are managing FortiAP 320C's. The FG RADIUS is configured with an authentication method of MS-CHAP-v2 and I successfully tested the connection in the CLI using the diag test authserver radius <server> mschap2 <username> <password>. I configured the NPS server using the following KB document; http://kb.fortinet.com/kb...do?externalID=FD36088. The Windows 2012 server was an existing domain server with NPS newly configured. So, when I tested the RADIUS using the CLI, I get new events in NPS indicating Full Access. But, when I attempt to authenticate from a laptop, I do not get any events in the NPS server. Any help with further troubleshooting or suggestions would be greatly appreciated.
You may try using FGT EAP-proxy feature firstly.
config wireless-controller vap edit "jeff" set vdom "lab" set security wpa2-only-enterprise set auth usergroup set usergroup "radiusgrp" ----add Radius server as a member next end It will not ask RADIUS server to support EAP.
If this is works, which mean your NPS EAP setting have issue, then check NPS EAP setting. Then test it with normal wpa2-only-enterprise +RADIUS EAP .
config wireless-controller vap edit "jeff" set vdom "lab" set security wpa2-only-enterprise set auth radius set radius-server "test" next end
The FGT EAP-proxy feature worked and then going back to WPA2 Enterprise + RADIUS did not. In NPS I have changed the EAP Type settings, in the Network Policies, with no success. Currently, I have a case open with Fortinet #1641968.
I guess you may use Windows PEAP to connect to Wireless AP.Mostly its wireless profile enable "Validate server certificate " check by default.
For FGT EAP-proxy, it use public certificate, so it is easy to setup.
For WPA2 Enterprise + RADIUS case, normally need import CA certificate use by RADIUS into desktop. You may try to manually create wireless profile on PC to ignore this step. Hope it have some help.Thanks.
Was there any further update on this situation? We are in the same boat that EAP-Proxy seems to work fine, but in EAP mode NPS simply sends an access-reject back to the Fortigates initial access-request, regardless of what NPS or client settings are used. Almost as if the initial RADIUS request is incorrect to start the proper EAP negotiation? The Fortigate and FAP's are all running 5.2.6. Are there any known issues that could be breaking this?
I use WPA2 Enterprise NPS authentication for my FortiAP FP223's and it works. NPS 2012 is a pain to configure, but I found this example in the latest Cookbook which helped (worked for 5.2.7 and 5.4.1)
http://cookbook.fortinet.com/wifi-with-wsso-using-windows-nps-and-attributes-54/
Hope this helps!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.