Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fguerra
New Contributor

WPA2 Enterprise RADIUS authentication not working with Windows 2012 NPS

I am trying to get our WiFi to authenticate using Windows NPS. I had a running RADIUS server with Cisco ACS but the device is EoL and the certificate expired. All WiFi worked fine before moving to NPS. I am running a FortiGate 1500D (5.2.3) that are managing FortiAP 320C's. The FG RADIUS is configured with an authentication method of MS-CHAP-v2 and I successfully tested the connection in the CLI using the diag test authserver radius <server> mschap2 <username> <password>. I configured the NPS server using the following KB document; http://kb.fortinet.com/kb...do?externalID=FD36088. The Windows 2012 server was an existing domain server with NPS newly configured. So, when I tested the RADIUS using the CLI, I get new events in NPS indicating Full Access. But, when I attempt to authenticate from a laptop, I do not get any events in the NPS server. Any help with further troubleshooting or suggestions would be greatly appreciated.

5 REPLIES 5
Jeff_FTNT
Staff
Staff

You may try using FGT EAP-proxy feature firstly.

config wireless-controller vap     edit "jeff"         set vdom "lab"         set security wpa2-only-enterprise         set auth usergroup         set usergroup "radiusgrp"  ----add Radius server as a member     next end It will not ask RADIUS  server to  support EAP.

 

If this is works, which mean your NPS EAP setting have issue, then check NPS EAP setting. Then test it with normal wpa2-only-enterprise +RADIUS EAP .

config wireless-controller vap     edit "jeff"         set vdom "lab"         set security wpa2-only-enterprise         set auth radius         set radius-server "test"     next end

 

fguerra

The FGT EAP-proxy feature worked and then going back to WPA2 Enterprise + RADIUS did not. In NPS I have changed the EAP Type settings, in the Network Policies, with no success. Currently, I have a case open with Fortinet #1641968.

Jeff_FTNT

I guess you may use Windows PEAP  to connect to Wireless AP.Mostly its wireless profile  enable "Validate server certificate " check by default.

For FGT EAP-proxy, it use public certificate, so it is easy to setup.

For WPA2 Enterprise + RADIUS case, normally need import CA certificate use by RADIUS into desktop. You may try to manually create wireless profile on PC to ignore this step. Hope it have some help.Thanks.

 

Tim_Cooper

Was there any further update on this situation? We are in the same boat that EAP-Proxy seems to work fine, but in EAP mode NPS simply sends an access-reject back to the Fortigates initial access-request, regardless of what NPS or client settings are used. Almost as if the initial RADIUS request is incorrect to start the proper EAP negotiation? The Fortigate and FAP's are all running 5.2.6. Are there any known issues that could be breaking this?

joepope
New Contributor III

I use WPA2 Enterprise NPS authentication for my FortiAP FP223's and it works.  NPS 2012 is a pain to configure, but I found this example in the latest Cookbook which helped (worked for 5.2.7 and 5.4.1)

 

http://cookbook.fortinet.com/wifi-with-wsso-using-windows-nps-and-attributes-54/

 

Hope this helps!

 

Labels
Top Kudoed Authors