Hi...
I am deploy a FAC and we need configure the clients to authenticate on WIFI using certificate.
I was read the Fortine docummentation and in all cenaris the FAC is a CA, but the costumer have a internal CA, so I imported the Root CA and intermediate CA certificate to FAC and create a CSR to CA generate a server certificated to FAC.
Below I am pasting the RADIUS debug logs:
(28) Received Access-Request Id 25 from 10.49.2.129:6786 to 10.45.14.40:1812 length 349 2021-08-18T16:40:26.539540-03:00 PRDFAC-FNT-A radiusd[22484]: (28) User-Name = "ipachacuti@qualicorp.com.br" 2021-08-18T16:40:26.539546-03:00 PRDFAC-FNT-A radiusd[22484]: (28) NAS-IP-Address = 0.0.0.0 2021-08-18T16:40:26.539551-03:00 PRDFAC-FNT-A radiusd[22484]: (28) NAS-Identifier = "10.49.2.10/5246-Qlc-Corporativo" 2021-08-18T16:40:26.539556-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Called-Station-Id = "D4-76-A0-46-50-D0:Qlc-Corporativo-01" 2021-08-18T16:40:26.539566-03:00 PRDFAC-FNT-A radiusd[22484]: (28) NAS-Port-Type = Wireless-802.11 2021-08-18T16:40:26.539572-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Service-Type = Framed-User 2021-08-18T16:40:26.539578-03:00 PRDFAC-FNT-A radiusd[22484]: (28) NAS-Port = 1 2021-08-18T16:40:26.539583-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Fortinet-SSID = "Qlc-Corporativo-01" 2021-08-18T16:40:26.539588-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Fortinet-AP-Name = "ap_plaza_niteroi_01" 2021-08-18T16:40:26.539593-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Calling-Station-Id = "5C-CD-5B-51-49-E7" 2021-08-18T16:40:26.539597-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11AC" 2021-08-18T16:40:26.539602-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Acct-Session-Id = "610D7F800000013E" 2021-08-18T16:40:26.539606-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Acct-Multi-Session-Id = "AD3AA044994A7AC4" 2021-08-18T16:40:26.539611-03:00 PRDFAC-FNT-A radiusd[22484]: (28) WLAN-Pairwise-Cipher = 1027076 2021-08-18T16:40:26.539618-03:00 PRDFAC-FNT-A radiusd[22484]: (28) WLAN-Group-Cipher = 1027076 2021-08-18T16:40:26.539626-03:00 PRDFAC-FNT-A radiusd[22484]: (28) WLAN-AKM-Suite = 1027073 2021-08-18T16:40:26.539630-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Framed-MTU = 1400 2021-08-18T16:40:26.539635-03:00 PRDFAC-FNT-A radiusd[22484]: (28) EAP-Message = 0x02f90006030d 2021-08-18T16:40:26.539639-03:00 PRDFAC-FNT-A radiusd[22484]: (28) State = 0x9cbc75179c4560e453e0470a6884bbb3 2021-08-18T16:40:26.539643-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Message-Authenticator = 0x480eea390fc3475973781e6cffeefa5e 2021-08-18T16:40:26.539653-03:00 PRDFAC-FNT-A radiusd[22484]: (28) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default 2021-08-18T16:40:26.539695-03:00 PRDFAC-FNT-A radiusd[22484]: (28) facauth: ===>NAS IP:10.49.2.129 2021-08-18T16:40:26.539706-03:00 PRDFAC-FNT-A radiusd[22484]: (28) facauth: ===>Username:ipachacuti@qualicorp.com.br 2021-08-18T16:40:26.539713-03:00 PRDFAC-FNT-A radiusd[22484]: (28) facauth: ===>Timestamp:1629315626.539363, age:0ms 2021-08-18T16:40:26.539722-03:00 PRDFAC-FNT-A radiusd[22484]: Not doing PAP as Auth-Type is already set. 2021-08-18T16:40:26.539730-03:00 PRDFAC-FNT-A radiusd[22484]: (28) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-18T16:40:26.539739-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: Expiring EAP session with state 0x9cbc75179c4560e4 2021-08-18T16:40:26.539747-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: Finished EAP session with state 0x9cbc75179c4560e4 2021-08-18T16:40:26.539753-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: Previous EAP request found for state 0x9cbc75179c4560e4, released from the list 2021-08-18T16:40:26.539765-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: Found authclient from preloaded authclients list for 10.49.2.129: WIFI_Corp_Plaza_Niteroi (10.49.2.129) 2021-08-18T16:40:26.540672-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: WARNING: failed to load authpolicy for authclient 6 with authtype eap-tls 2021-08-18T16:40:26.541369-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: Found authpolicy 'WIFI_CORP' for client '10.49.2.129' 2021-08-18T16:40:26.541597-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: ERROR: No mutually acceptable types found 2021-08-18T16:40:26.541653-03:00 PRDFAC-FNT-A radiusd[22484]: (28) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-18T16:40:26.541712-03:00 PRDFAC-FNT-A radiusd[22484]: (28) facauth: Updated auth log 'ipachacuti@qualicorp.com.br': 802.1x authentication failed 2021-08-18T16:40:27.209211-03:00 PRDFAC-FNT-A radiusd[22484]: Waking up in 0.3 seconds.
Can you help me :)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It seems that matching RADIUS Service / Policy named "WIFI_CORP" is anything else but EAP-TLS.
Check that first.
Once you set RADIUS Service / Policy / "Authentication type" to "Client Certificates (EAP-TLS)", then on next page of "Identity source" you get the blue hint stating how the match is done and how the client's cert should look like.
Understanding the Client Certificates (EAP-TLS) workflow EAP-TLS verifies the certificate provided by the end-user. A certificate is deemed valid if ALL of the following conditions match the certificate binding settings of one of the configured local or remote users:
[ul]For example, if an end-user provides a certificate with the following fields:
[ul]This certificate would be deemed valid if matching a configured user account with certificate binding settings:
[ul]
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi
I did the changes.
Now user some times connect and another times not.
When user has success to connect the connection takes a long time.
2021-08-20T16:35:31.806736-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Received Access-Request Id 121 from 10.49.1.129:20124 to 10.45.14.40:1812 length 1836 2021-08-20T16:35:31.806743-03:00 PRDFAC-FNT-A radiusd[3903]: (179) User-Name = "ABToledo@teste.com" 2021-08-20T16:35:31.806748-03:00 PRDFAC-FNT-A radiusd[3903]: (179) NAS-IP-Address = 0.0.0.0 2021-08-20T16:35:31.806752-03:00 PRDFAC-FNT-A radiusd[3903]: (179) NAS-Identifier = "10.49.1.10/5246-Qlc-Corporativo" 2021-08-20T16:35:31.806756-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Called-Station-Id = "D4-76-A0-46-9F-48:Qlc-Corporativo" 2021-08-20T16:35:31.806760-03:00 PRDFAC-FNT-A radiusd[3903]: (179) NAS-Port-Type = Wireless-802.11 2021-08-20T16:35:31.806765-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Service-Type = Framed-User 2021-08-20T16:35:31.806769-03:00 PRDFAC-FNT-A radiusd[3903]: (179) NAS-Port = 1 2021-08-20T16:35:31.806773-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Fortinet-SSID = "Qlc-Corporativo" 2021-08-20T16:35:31.806777-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Fortinet-AP-Name = "ap_vila_olimpia_01" 2021-08-20T16:35:31.806781-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Calling-Station-Id = "5C-CD-5B-51-0B-03" 2021-08-20T16:35:31.806785-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11AC" 2021-08-20T16:35:31.806789-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Acct-Session-Id = "611FE546000000BB" 2021-08-20T16:35:31.806793-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Acct-Multi-Session-Id = "422E105E5406896B" 2021-08-20T16:35:31.806798-03:00 PRDFAC-FNT-A radiusd[3903]: (179) WLAN-Pairwise-Cipher = 1027076 2021-08-20T16:35:31.806802-03:00 PRDFAC-FNT-A radiusd[3903]: (179) WLAN-Group-Cipher = 1027076 2021-08-20T16:35:31.806807-03:00 PRDFAC-FNT-A radiusd[3903]: (179) WLAN-AKM-Suite = 1027073 2021-08-20T16:35:31.806811-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Framed-MTU = 1400 2021-08-20T16:35:31.806821-03:00 PRDFAC-FNT-A radiusd[3903]: (179) EAP-Message = 0x026e05d40d406961746525323043412c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d677275706f2c44433d7175616c69636f72703f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479307906082b06010505073002866d687474703a2f2f7375626f7264696e6174655f63612e677275706f2e7175616c69636f72702f43657274456e726f6c6c2f50524457494e415030392e677275706f2e7175616c69636f72705f5175616c69636f7270253230496e7465726d65646961746525323043412e637274304f0603551d1104483046a029060a2b060104018237140203a01b0c194142546f6c65646f407175616c69636f72702e636f6d2e627281196162746f6c65646f407175616c69636f72702e636f6d2e6272300d06092a864886f70d01010b05000382 2021-08-20T16:35:31.806825-03:00 PRDFAC-FNT-A radiusd[3903]: (179) State = 0x8839eb508e57e650f7b42b22f3ec8a91 2021-08-20T16:35:31.806829-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Message-Authenticator = 0xdcbbf94f3da30ac13dd24526fccf5a00 2021-08-20T16:35:31.806838-03:00 PRDFAC-FNT-A radiusd[3903]: (179) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.806876-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: ===>NAS IP:10.49.1.129 2021-08-20T16:35:31.806881-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: ===>Username:ABToledo@teste.com 2021-08-20T16:35:31.806887-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: ===>Timestamp:1629488131.806550, age:0ms 2021-08-20T16:35:31.807301-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.814266-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.814670-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.815443-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.815770-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Client type: 0 (subtype: 0) 2021-08-20T16:35:31.815781-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Input Realm: (null) (default realm id: 3) username: ABToledo@teste.com 2021-08-20T16:35:31.816041-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Realm not specified, default goes to remote LDAP, id: 1 2021-08-20T16:35:31.816415-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.816424-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Strip off domain/realm postfix 'qualicorp.com.br' in username 'ABToledo@teste.com' 2021-08-20T16:35:31.816635-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Remote ldap user 'ABToledo' may be a remote admin, try to load admin config in local database 2021-08-20T16:35:31.817094-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: User 'ABToledo' should be a remote admin, try to load its config from DB 2021-08-20T16:35:31.817319-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: User 'ABToledo' is not found in DB as a remote RADIUS admin 2021-08-20T16:35:31.817539-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: User 'ABToledo' is a remote ldap admin 2021-08-20T16:35:31.817972-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.818003-03:00 PRDFAC-FNT-A radiusd[3903]: (179) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.818016-03:00 PRDFAC-FNT-A radiusd[3903]: (179) eap: Expiring EAP session with state 0x17c49a1e10ea97ee 2021-08-20T16:35:31.818023-03:00 PRDFAC-FNT-A radiusd[3903]: (179) eap: Finished EAP session with state 0x8839eb508e57e650 2021-08-20T16:35:31.818032-03:00 PRDFAC-FNT-A radiusd[3903]: (179) eap: Previous EAP request found for state 0x8839eb508e57e650, released from the list 2021-08-20T16:35:31.818051-03:00 PRDFAC-FNT-A radiusd[3903]: (179) eap: EAP session adding &reply:State = 0x8839eb508f56e650 2021-08-20T16:35:31.818065-03:00 PRDFAC-FNT-A radiusd[3903]: (179) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.818075-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Sent Access-Challenge Id 121 from 10.45.14.40:1812 to 10.49.1.129:20124 length 0 2021-08-20T16:35:31.818081-03:00 PRDFAC-FNT-A radiusd[3903]: (179) EAP-Message = 0x016f00060d00 2021-08-20T16:35:31.818087-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Message-Authenticator = 0x00000000000000000000000000000000 2021-08-20T16:35:31.818090-03:00 PRDFAC-FNT-A radiusd[3903]: (179) State = 0x8839eb508f56e650f7b42b22f3ec8a91 2021-08-20T16:35:31.829878-03:00 PRDFAC-FNT-A radiusd[3903]: Waking up in 0.6 seconds. 2021-08-20T16:35:31.829932-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Received Access-Request Id 122 from 10.49.1.129:20124 to 10.45.14.40:1812 length 1729 2021-08-20T16:35:31.829943-03:00 PRDFAC-FNT-A radiusd[3903]: (180) User-Name = "ABToledo@qteste.com" 2021-08-20T16:35:31.829948-03:00 PRDFAC-FNT-A radiusd[3903]: (180) NAS-IP-Address = 0.0.0.0 2021-08-20T16:35:31.829954-03:00 PRDFAC-FNT-A radiusd[3903]: (180) NAS-Identifier = "10.49.1.10/5246-Qlc-Corporativo" 2021-08-20T16:35:31.829959-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Called-Station-Id = "D4-76-A0-46-9F-48:Qlc-Corporativo" 2021-08-20T16:35:31.829966-03:00 PRDFAC-FNT-A radiusd[3903]: (180) NAS-Port-Type = Wireless-802.11 2021-08-20T16:35:31.829972-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Service-Type = Framed-User 2021-08-20T16:35:31.829977-03:00 PRDFAC-FNT-A radiusd[3903]: (180) NAS-Port = 1 2021-08-20T16:35:31.829981-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Fortinet-SSID = "Qlc-Corporativo" 2021-08-20T16:35:31.829985-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Fortinet-AP-Name = "ap_vila_olimpia_01" 2021-08-20T16:35:31.829989-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Calling-Station-Id = "5C-CD-5B-51-0B-03" 2021-08-20T16:35:31.829994-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11AC" 2021-08-20T16:35:31.829998-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Acct-Session-Id = "611FE546000000BB" 2021-08-20T16:35:31.830003-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Acct-Multi-Session-Id = "422E105E5406896B" 2021-08-20T16:35:31.830008-03:00 PRDFAC-FNT-A radiusd[3903]: (180) WLAN-Pairwise-Cipher = 1027076 2021-08-20T16:35:31.830013-03:00 PRDFAC-FNT-A radiusd[3903]: (180) WLAN-Group-Cipher = 1027076 2021-08-20T16:35:31.830018-03:00 PRDFAC-FNT-A radiusd[3903]: (180) WLAN-AKM-Suite = 1027073 2021-08-20T16:35:31.830023-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Framed-MTU = 1400 2021-08-20T16:35:31.830035-03:00 PRDFAC-FNT-A radiusd[3903]: (180) EAP-Message = 0x026f05690d00657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e74864a687474703a2f2f7375626f7264696e6174655f63612e677275706f2e7175616c69636f72702f43657274456e726f6c6c2f5175616c69636f7270253230526f6f7425323043412e63726c3082014006082b06010505070101048201323082012e3081b806082b060105050730028681ab6c6461703a2f2f2f434e3d5175616c69636f7270253230526f6f7425323043412c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d677275706f2c44433d7175616c69636f72703f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479307106082b060105050730028665687474703a2f2f73 2021-08-20T16:35:31.830041-03:00 PRDFAC-FNT-A radiusd[3903]: (180) State = 0x8839eb508f56e650f7b42b22f3ec8a91 2021-08-20T16:35:31.830045-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Message-Authenticator = 0xb54679edc81860423e91605393bd89f4 2021-08-20T16:35:31.830053-03:00 PRDFAC-FNT-A radiusd[3903]: (180) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.830094-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: ===>NAS IP:10.49.1.129 2021-08-20T16:35:31.830105-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: ===>Username:ABToledo@teste.com 2021-08-20T16:35:31.830112-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: ===>Timestamp:1629488131.829767, age:0ms 2021-08-20T16:35:31.830445-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.831242-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.831582-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.832345-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.832655-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Client type: 0 (subtype: 0) 2021-08-20T16:35:31.832664-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Input Realm: (null) (default realm id: 3) username: ABToledo@teste.com 2021-08-20T16:35:31.832915-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Realm not specified, default goes to remote LDAP, id: 1 2021-08-20T16:35:31.833256-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.833265-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Strip off domain/realm postfix 'qualicorp.com.br' in username 'ABToledo@teste.com' 2021-08-20T16:35:31.833467-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Remote ldap user 'ABToledo' may be a remote admin, try to load admin config in local database 2021-08-20T16:35:31.833878-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: User 'ABToledo' should be a remote admin, try to load its config from DB 2021-08-20T16:35:31.834086-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: User 'ABToledo' is not found in DB as a remote RADIUS admin 2021-08-20T16:35:31.834281-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: User 'ABToledo' is a remote ldap admin 2021-08-20T16:35:31.834619-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.834643-03:00 PRDFAC-FNT-A radiusd[3903]: (180) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.834656-03:00 PRDFAC-FNT-A radiusd[3903]: (180) eap: Expiring EAP session with state 0x17c49a1e10ea97ee 2021-08-20T16:35:31.834665-03:00 PRDFAC-FNT-A radiusd[3903]: (180) eap: Finished EAP session with state 0x8839eb508f56e650 2021-08-20T16:35:31.834671-03:00 PRDFAC-FNT-A radiusd[3903]: (180) eap: Previous EAP request found for state 0x8839eb508f56e650, released from the list 2021-08-20T16:35:31.835643-03:00 PRDFAC-FNT-A radiusd[3903]: rlm_eap_tls: Certificate passed CRL check. 2021-08-20T16:35:31.836123-03:00 PRDFAC-FNT-A radiusd[3903]: fn_eap_tls.c: Verifying remote LDAP user cert binding (user: abtoledo, ldap id: 1) 2021-08-20T16:35:31.837359-03:00 PRDFAC-FNT-A radiusd[3903]: rlm_eap_tls: Certificate binding check succeeded. (CN=Anderson Alves Bueno de Toledo, Issuer=/DC=teste/DC=com/CN= Teste Intermediate CA) 2021-08-20T16:35:31.837957-03:00 PRDFAC-FNT-A radiusd[3903]: rlm_eap_tls: Certificate passed CRL check. 2021-08-20T16:35:31.838369-03:00 PRDFAC-FNT-A radiusd[3903]: (180) eap: EAP session adding &reply:State = 0x8839eb508049e650 2021-08-20T16:35:31.838389-03:00 PRDFAC-FNT-A radiusd[3903]: (180) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.838399-03:00 PRDFAC-FNT-A radiusd[3903]: (180) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" 2021-08-20T16:35:31.838404-03:00 PRDFAC-FNT-A radiusd[3903]: (180) TLS-Session-Version = "TLS 1.2" 2021-08-20T16:35:31.838414-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Sent Access-Challenge Id 122 from 10.45.14.40:1812 to 10.49.1.129:20124 length 0 2021-08-20T16:35:31.838423-03:00 PRDFAC-FNT-A radiusd[3903]: (180) EAP-Message = 0x0170003d0d80000000331403030001011603030028edd5c1a035f9ce8c87ea3d2880dfa1d6b7c1d667989a2acdafa4ac1d9ac7fd37a19808510af7a0e7 2021-08-20T16:35:31.838428-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Message-Authenticator = 0x00000000000000000000000000000000 2021-08-20T16:35:31.838432-03:00 PRDFAC-FNT-A radiusd[3903]: (180) State = 0x8839eb508049e650f7b42b22f3ec8a91 2021-08-20T16:35:31.850445-03:00 PRDFAC-FNT-A radiusd[3903]: Waking up in 0.6 seconds. 2021-08-20T16:35:31.850514-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Received Access-Request Id 123 from 10.49.1.129:20124 to 10.45.14.40:1812 length 340 2021-08-20T16:35:31.850522-03:00 PRDFAC-FNT-A radiusd[3903]: (181) User-Name = "ABToledo@teste.com" 2021-08-20T16:35:31.850527-03:00 PRDFAC-FNT-A radiusd[3903]: (181) NAS-IP-Address = 0.0.0.0 2021-08-20T16:35:31.850531-03:00 PRDFAC-FNT-A radiusd[3903]: (181) NAS-Identifier = "10.49.1.10/5246-Qlc-Corporativo" 2021-08-20T16:35:31.850536-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Called-Station-Id = "D4-76-A0-46-9F-48:Qlc-Corporativo" 2021-08-20T16:35:31.850541-03:00 PRDFAC-FNT-A radiusd[3903]: (181) NAS-Port-Type = Wireless-802.11 2021-08-20T16:35:31.850547-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Service-Type = Framed-User 2021-08-20T16:35:31.850551-03:00 PRDFAC-FNT-A radiusd[3903]: (181) NAS-Port = 1 2021-08-20T16:35:31.850554-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Fortinet-SSID = "Qlc-Corporativo" 2021-08-20T16:35:31.850558-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Fortinet-AP-Name = "ap_vila_olimpia_01" 2021-08-20T16:35:31.850562-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Calling-Station-Id = "5C-CD-5B-51-0B-03" 2021-08-20T16:35:31.850581-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11AC" 2021-08-20T16:35:31.850602-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Acct-Session-Id = "611FE546000000BB" 2021-08-20T16:35:31.850608-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Acct-Multi-Session-Id = "422E105E5406896B" 2021-08-20T16:35:31.850614-03:00 PRDFAC-FNT-A radiusd[3903]: (181) WLAN-Pairwise-Cipher = 1027076 2021-08-20T16:35:31.850619-03:00 PRDFAC-FNT-A radiusd[3903]: (181) WLAN-Group-Cipher = 1027076 2021-08-20T16:35:31.850624-03:00 PRDFAC-FNT-A radiusd[3903]: (181) WLAN-AKM-Suite = 1027073 2021-08-20T16:35:31.850633-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Framed-MTU = 1400 2021-08-20T16:35:31.850638-03:00 PRDFAC-FNT-A radiusd[3903]: (181) EAP-Message = 0x027000060d00 2021-08-20T16:35:31.850642-03:00 PRDFAC-FNT-A radiusd[3903]: (181) State = 0x8839eb508049e650f7b42b22f3ec8a91 2021-08-20T16:35:31.850647-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Message-Authenticator = 0xa38e1ef42b16eaa2543fa1aa5843394d 2021-08-20T16:35:31.850658-03:00 PRDFAC-FNT-A radiusd[3903]: (181) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.850706-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: ===>NAS IP:10.49.1.129 2021-08-20T16:35:31.850715-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: ===>Username:ABToledo@teste.com 2021-08-20T16:35:31.850723-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: ===>Timestamp:1629488131.850374, age:0ms 2021-08-20T16:35:31.851133-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.852050-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.852419-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.853156-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.853465-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Client type: 0 (subtype: 0) 2021-08-20T16:35:31.853474-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Input Realm: (null) (default realm id: 3) username: ABToledo@teste.com 2021-08-20T16:35:31.853722-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Realm not specified, default goes to remote LDAP, id: 1 2021-08-20T16:35:31.854074-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.854084-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Strip off domain/realm postfix 'qualicorp.com.br' in username 'ABToledo@teste.com' 2021-08-20T16:35:31.854289-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Remote ldap user 'ABToledo' may be a remote admin, try to load admin config in local database 2021-08-20T16:35:31.854697-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: User 'ABToledo' should be a remote admin, try to load its config from DB 2021-08-20T16:35:31.854907-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: User 'ABToledo' is not found in DB as a remote RADIUS admin 2021-08-20T16:35:31.855111-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: User 'ABToledo' is a remote ldap admin 2021-08-20T16:35:31.855448-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.855472-03:00 PRDFAC-FNT-A radiusd[3903]: (181) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.855484-03:00 PRDFAC-FNT-A radiusd[3903]: (181) eap: Expiring EAP session with state 0x17c49a1e10ea97ee 2021-08-20T16:35:31.855490-03:00 PRDFAC-FNT-A radiusd[3903]: (181) eap: Finished EAP session with state 0x8839eb508049e650 2021-08-20T16:35:31.855499-03:00 PRDFAC-FNT-A radiusd[3903]: (181) eap: Previous EAP request found for state 0x8839eb508049e650, released from the list 2021-08-20T16:35:31.855627-03:00 PRDFAC-FNT-A radiusd[3903]: (181) # Executing section post-auth from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.855650-03:00 PRDFAC-FNT-A radiusd[3903]: (181) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite
Hi sorry for later response but log seems to be clear .. auth success within one sec.
If I check State values than:
First Access-Request 121 (at 2021-08-20T16:35:31.806736) generated Access-Challenge 121.
That was responded by Access-Request 122, but generated another Access-Challenge 122.
Which was responded by Access-Request 123.
And that one was responded with Access-Accept Id 123 (at 2021-08-20T16:35:31.860770).
Summary.
AR 2021-08-20T16:35:31.806736
AA 2021-08-20T16:35:31.860770
diff = 0.054034 sec
I do not see any problem.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.