Dear All
I'm using FortiAuthenticator as Radius and Fortigate as Internet sharing.
I need to allow some group on FortiAuthenticator to use the internet without web login, just Wifi single sign on. If success login on Wifi then Internet automatically active.
Here is the reference that I use.
The problem is I cannot use the reference with other brand such as tp-link, Dlink, mikrotik or other brand.
On the reference is use FortiAP.
I have tried many time, but always failed, when success login with Wifi then automatically appear login form on browser.
Is there anyone here have a experience to use WSSO without FortiAP.
Please let me know, if anybody can help me.
Regards,
Heri
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
AFAIK this should work with non-FortiAP wi-fi as well. It's basically just RADIUS under the hood with attributes sent to the FGT for WSSO to work properly.
Did you set up the Fortinet-Group-Name attribute properly in the FAC groups?
Dear gfleming
I have to do that, unfortunately still doesn't work.
Fortigate cannot get the group from FortiAuthenticator.
I will try again, if you have another solution. It's very helpfull.
Best regards,
Heri
Just to confirm you have configured the SSID to use WPA2 Enterprise? And when you connect to wi-fi you are prompted for username and password before getting connected to the network? Do you see the authentications on the FortiAuthenticator?
Dear gfleming
Yes, of course.
Here is the process and configuration.
and this is the configuration of the wifi
and the fortigate cannot capture Fortinet-Group-Nama, that's why always appear the login form once the wifi is connected.
Best Regards.
Heri
Good details, thank you! I notice there's a schedule in your FW Policy. I assume you've verified the schedule is not getting in the way? Are you definitely hitting that policy?
Also, can you do a test for me and try with a local FortiAUthenticator group instead of an LDAP group? See if the results are the same.
You can also try and debug the RADIUS messages received on the FortiGate to ensure the attribute is being sent properl: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Radius-authentication-troubleshooting/ta-p...
Dear Graham
Here is the result of local user
Regards,
Heri
User group is reported as WINETLAN is that expected? I believe we are expecting WINETADMIN?
Can you run debug with integer 255 for full messaages? diagnose debug application fnbamd 255
Dear Graham
Here is the result
FG200E-LDAP-MASTER # diagnose debug application fnbamd 255
Debug messages will be on for 26 minutes.
FG200E-LDAP-MASTER # diagnose test authserver radius FortiAuth-RADIUS mschap2 heri-hw 12345678
[1906] handle_req-Rcvd auth req 135802484 for heri-hw in FortiAuth-RADIUS opt=0000001d prot=4
[466] __compose_group_list_from_req-Group 'FortiAuth-RADIUS', type 1
[616] fnbamd_pop3_start-heri-hw
[518] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'FortiAuth-RADIUS'
[342] fnbamd_create_radius_socket-Opened radius socket 13
[342] fnbamd_create_radius_socket-Opened radius socket 14
[1394] fnbamd_radius_auth_send-Compose RADIUS request
[1351] fnbamd_rad_dns_cb-192.168.100.248->192.168.100.248
[1323] __fnbamd_rad_send-Sent radius req to server 'FortiAuth-RADIUS': fd=13, IP=192.168.100.248(192.168.100.248:1812) code=1 id=6 len=161 user="heri-hw" using MS-CHAPv2
[319] radius_server_auth-Timer of rad 'FortiAuth-RADIUS' is added
[633] create_auth_session-Total 1 server(s) to try
[2341] handle_req-Rcvd auth_cert req id=135802485, len=1567, opt=8
[974] __cert_auth_ctx_init-req_id=135802485, opt=8
[983] __cert_auth_ctx_init-OCSP resp is found.
[103] __cert_chg_st- 'Init'
[140] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
[661] __cert_init-req_id=135802485
[710] __cert_build_chain-req_id=135802485
[257] fnbamd_chain_build-Chain discovery, opt 0x19, cur total 1
[273] fnbamd_chain_build-Following depth 0
[318] fnbamd_chain_build-Extend chain by builtin CA cache. (good)
[273] fnbamd_chain_build-Following depth 1
[318] fnbamd_chain_build-Extend chain by builtin CA cache. (good)
[273] fnbamd_chain_build-Following depth 2
[287] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[831] __cert_verify-req_id=135802485
[832] __cert_verify-Chain is complete.
[406] fnbamd_builtin_cert_check-Following cert chain depth 0
[406] fnbamd_builtin_cert_check-Following cert chain depth 1
[427] fnbamd_builtin_cert_check-Builtin CRL found: 244b5494
[406] fnbamd_builtin_cert_check-Following cert chain depth 2
[442] fnbamd_builtin_cert_check-Certificate status is unchecked.
[867] __cert_verify_do_next-req_id=135802485
[99] __cert_chg_st- 'Validation' -> 'OCSP-Checking'
[889] __cert_ocsp_check-req_id=135802485
[335] fnbamd_verify_ocsp_response-Cert status: GOOD.
[251] __cert_ocsp_resp_verify-verify_ocsp_response returns 0 -1
[99] __cert_chg_st- 'OCSP-Checking' -> 'Done'
[912] __cert_done-req_id=135802485
[1652] fnbamd_auth_session_done-Session done, id=135802485
[957] __fnbamd_cert_auth_run-Exit, req_id=135802485
[1689] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=135802485
[1608] auth_cert_success-id=135802485
[1059] fnbamd_cert_auth_copy_cert_status-req_id=135802485
[1186] fnbamd_cert_auth_copy_cert_status-Cert st 210, req_id=135802485
[216] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 135802485, len=2144
[1553] destroy_auth_cert_session-id=135802485
[1032] fnbamd_cert_auth_uninit-req_id=135802485
[1358] fnbamd_auth_handle_radius_result-Timer of rad 'FortiAuth-RADIUS' is deleted
[1802] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[320] extract_success_vsas-FORTINET attr, type 1, val WINETADMIN
[1663] __radius_decode_mppe_key-Key len after decode 16
[1663] __radius_decode_mppe_key-Key len after decode 16
[1383] fnbamd_auth_handle_radius_result-->Result for radius svr 'FortiAuth-RADIUS' 192.168.100.248(1) is 0
[266] find_matched_usr_grps-Skipped group matching
[216] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 135802484, len=2160
[789] destroy_auth_session-delete session 135802484
authenticate 'heri-hw' against 'mschap2' succeeded, server=primary assigned_rad_session_id=135802484 session_timeout=0 secs idle_timeout=0 secs!
Group membership(s) - WINETADMIN
OK so it looks like FAC is sending the attribute OK in this case. Are you testing with local group or LDAP group? If not LDAP can you test again with LDAP this time?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.