Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raphaejaoliveira
New Contributor

Created on ‎08-19-2021 05:03 AM

Wifi authenticator using certificate

Hi...

 

I am deploy a FAC and we need configure the clients to authenticate on WIFI using certificate.

I was read the Fortine docummentation and in all cenaris the FAC is a CA, but the costumer have a internal CA, so I imported the Root CA and intermediate CA certificate to FAC and create a CSR to CA generate a server certificated to FAC.

Below I am pasting the RADIUS debug logs:

 

(28) Received Access-Request Id 25 from 10.49.2.129:6786 to 10.45.14.40:1812 length 349 2021-08-18T16:40:26.539540-03:00 PRDFAC-FNT-A radiusd[22484]: (28) User-Name = "ipachacuti@qualicorp.com.br" 2021-08-18T16:40:26.539546-03:00 PRDFAC-FNT-A radiusd[22484]: (28) NAS-IP-Address = 0.0.0.0 2021-08-18T16:40:26.539551-03:00 PRDFAC-FNT-A radiusd[22484]: (28) NAS-Identifier = "10.49.2.10/5246-Qlc-Corporativo" 2021-08-18T16:40:26.539556-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Called-Station-Id = "D4-76-A0-46-50-D0:Qlc-Corporativo-01" 2021-08-18T16:40:26.539566-03:00 PRDFAC-FNT-A radiusd[22484]: (28) NAS-Port-Type = Wireless-802.11 2021-08-18T16:40:26.539572-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Service-Type = Framed-User 2021-08-18T16:40:26.539578-03:00 PRDFAC-FNT-A radiusd[22484]: (28) NAS-Port = 1 2021-08-18T16:40:26.539583-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Fortinet-SSID = "Qlc-Corporativo-01" 2021-08-18T16:40:26.539588-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Fortinet-AP-Name = "ap_plaza_niteroi_01" 2021-08-18T16:40:26.539593-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Calling-Station-Id = "5C-CD-5B-51-49-E7" 2021-08-18T16:40:26.539597-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11AC" 2021-08-18T16:40:26.539602-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Acct-Session-Id = "610D7F800000013E" 2021-08-18T16:40:26.539606-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Acct-Multi-Session-Id = "AD3AA044994A7AC4" 2021-08-18T16:40:26.539611-03:00 PRDFAC-FNT-A radiusd[22484]: (28) WLAN-Pairwise-Cipher = 1027076 2021-08-18T16:40:26.539618-03:00 PRDFAC-FNT-A radiusd[22484]: (28) WLAN-Group-Cipher = 1027076 2021-08-18T16:40:26.539626-03:00 PRDFAC-FNT-A radiusd[22484]: (28) WLAN-AKM-Suite = 1027073 2021-08-18T16:40:26.539630-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Framed-MTU = 1400 2021-08-18T16:40:26.539635-03:00 PRDFAC-FNT-A radiusd[22484]: (28) EAP-Message = 0x02f90006030d 2021-08-18T16:40:26.539639-03:00 PRDFAC-FNT-A radiusd[22484]: (28) State = 0x9cbc75179c4560e453e0470a6884bbb3 2021-08-18T16:40:26.539643-03:00 PRDFAC-FNT-A radiusd[22484]: (28) Message-Authenticator = 0x480eea390fc3475973781e6cffeefa5e 2021-08-18T16:40:26.539653-03:00 PRDFAC-FNT-A radiusd[22484]: (28) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default 2021-08-18T16:40:26.539695-03:00 PRDFAC-FNT-A radiusd[22484]: (28) facauth: ===>NAS IP:10.49.2.129 2021-08-18T16:40:26.539706-03:00 PRDFAC-FNT-A radiusd[22484]: (28) facauth: ===>Username:ipachacuti@qualicorp.com.br 2021-08-18T16:40:26.539713-03:00 PRDFAC-FNT-A radiusd[22484]: (28) facauth: ===>Timestamp:1629315626.539363, age:0ms 2021-08-18T16:40:26.539722-03:00 PRDFAC-FNT-A radiusd[22484]: Not doing PAP as Auth-Type is already set. 2021-08-18T16:40:26.539730-03:00 PRDFAC-FNT-A radiusd[22484]: (28) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-18T16:40:26.539739-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: Expiring EAP session with state 0x9cbc75179c4560e4 2021-08-18T16:40:26.539747-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: Finished EAP session with state 0x9cbc75179c4560e4 2021-08-18T16:40:26.539753-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: Previous EAP request found for state 0x9cbc75179c4560e4, released from the list 2021-08-18T16:40:26.539765-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: Found authclient from preloaded authclients list for 10.49.2.129: WIFI_Corp_Plaza_Niteroi (10.49.2.129) 2021-08-18T16:40:26.540672-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: WARNING: failed to load authpolicy for authclient 6 with authtype eap-tls 2021-08-18T16:40:26.541369-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: Found authpolicy 'WIFI_CORP' for client '10.49.2.129' 2021-08-18T16:40:26.541597-03:00 PRDFAC-FNT-A radiusd[22484]: (28) eap: ERROR: No mutually acceptable types found 2021-08-18T16:40:26.541653-03:00 PRDFAC-FNT-A radiusd[22484]: (28) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-18T16:40:26.541712-03:00 PRDFAC-FNT-A radiusd[22484]: (28) facauth: Updated auth log 'ipachacuti@qualicorp.com.br': 802.1x authentication failed 2021-08-18T16:40:27.209211-03:00 PRDFAC-FNT-A radiusd[22484]: Waking up in 0.3 seconds.

 

 

Can you help me :)

 

3392
0 Kudos
3 REPLIES 3
xsilver_FTNT
Staff
Staff

Created on ‎08-19-2021 11:44 PM

It seems that matching RADIUS Service / Policy named "WIFI_CORP" is anything else but EAP-TLS.

Check that first.

 

Once you set RADIUS Service / Policy / "Authentication type" to "Client Certificates (EAP-TLS)", then on next page of "Identity source" you get the blue hint stating how the match is done and how the client's cert should look like.

 

Understanding the Client Certificates (EAP-TLS) workflow EAP-TLS verifies the certificate provided by the end-user. A certificate is deemed valid if ALL of the following conditions match the certificate binding settings of one of the configured local or remote users:

[ul]
  • End-user certificate "Subject" has a "CN" value AND that value matches the "Common name" certificate binding setting of one of the configured local or remote users.
  • End-user certificate "Issuer" matches the "CA" certificate binding setting of that same configured user account.
  • End-user certificate is properly signed.
  • End-user certificate is NOT expired.[/ul]

    For example, if an end-user provides a certificate with the following fields:

    [ul]
  • Subject: CN=Sam, OU=Sales, DC=Company, DC=com
  • Issuer: CN=MyCA, OU=IT, DC=Company, DC=come
  • Properly signed and not expired[/ul]

    This certificate would be deemed valid if matching a configured user account with certificate binding settings:

    [ul]
  • Common name: Sam
  • CA: CN=MyCA, OU=IT, DC=Company, DC=com[/ul]

     

    • Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
    AAA, MFA, VoIP and other Fortinet stuff

    2361
    0 Kudos
    raphaejaoliveira
    New Contributor
    In response to xsilver_FTNT

    Created on ‎08-23-2021 08:53 AM

    Hi

    I did the changes.

    Now user some times connect and another times not.

    When user has success to connect the connection takes a long time.

     

    2021-08-20T16:35:31.806736-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Received Access-Request Id 121 from 10.49.1.129:20124 to 10.45.14.40:1812 length 1836 2021-08-20T16:35:31.806743-03:00 PRDFAC-FNT-A radiusd[3903]: (179) User-Name = "ABToledo@teste.com" 2021-08-20T16:35:31.806748-03:00 PRDFAC-FNT-A radiusd[3903]: (179) NAS-IP-Address = 0.0.0.0 2021-08-20T16:35:31.806752-03:00 PRDFAC-FNT-A radiusd[3903]: (179) NAS-Identifier = "10.49.1.10/5246-Qlc-Corporativo" 2021-08-20T16:35:31.806756-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Called-Station-Id = "D4-76-A0-46-9F-48:Qlc-Corporativo" 2021-08-20T16:35:31.806760-03:00 PRDFAC-FNT-A radiusd[3903]: (179) NAS-Port-Type = Wireless-802.11 2021-08-20T16:35:31.806765-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Service-Type = Framed-User 2021-08-20T16:35:31.806769-03:00 PRDFAC-FNT-A radiusd[3903]: (179) NAS-Port = 1 2021-08-20T16:35:31.806773-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Fortinet-SSID = "Qlc-Corporativo" 2021-08-20T16:35:31.806777-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Fortinet-AP-Name = "ap_vila_olimpia_01" 2021-08-20T16:35:31.806781-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Calling-Station-Id = "5C-CD-5B-51-0B-03" 2021-08-20T16:35:31.806785-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11AC" 2021-08-20T16:35:31.806789-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Acct-Session-Id = "611FE546000000BB" 2021-08-20T16:35:31.806793-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Acct-Multi-Session-Id = "422E105E5406896B" 2021-08-20T16:35:31.806798-03:00 PRDFAC-FNT-A radiusd[3903]: (179) WLAN-Pairwise-Cipher = 1027076 2021-08-20T16:35:31.806802-03:00 PRDFAC-FNT-A radiusd[3903]: (179) WLAN-Group-Cipher = 1027076 2021-08-20T16:35:31.806807-03:00 PRDFAC-FNT-A radiusd[3903]: (179) WLAN-AKM-Suite = 1027073 2021-08-20T16:35:31.806811-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Framed-MTU = 1400 2021-08-20T16:35:31.806821-03:00 PRDFAC-FNT-A radiusd[3903]: (179) EAP-Message = 0x026e05d40d406961746525323043412c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d677275706f2c44433d7175616c69636f72703f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479307906082b06010505073002866d687474703a2f2f7375626f7264696e6174655f63612e677275706f2e7175616c69636f72702f43657274456e726f6c6c2f50524457494e415030392e677275706f2e7175616c69636f72705f5175616c69636f7270253230496e7465726d65646961746525323043412e637274304f0603551d1104483046a029060a2b060104018237140203a01b0c194142546f6c65646f407175616c69636f72702e636f6d2e627281196162746f6c65646f407175616c69636f72702e636f6d2e6272300d06092a864886f70d01010b05000382 2021-08-20T16:35:31.806825-03:00 PRDFAC-FNT-A radiusd[3903]: (179) State = 0x8839eb508e57e650f7b42b22f3ec8a91 2021-08-20T16:35:31.806829-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Message-Authenticator = 0xdcbbf94f3da30ac13dd24526fccf5a00 2021-08-20T16:35:31.806838-03:00 PRDFAC-FNT-A radiusd[3903]: (179) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.806876-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: ===>NAS IP:10.49.1.129 2021-08-20T16:35:31.806881-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: ===>Username:ABToledo@teste.com 2021-08-20T16:35:31.806887-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: ===>Timestamp:1629488131.806550, age:0ms 2021-08-20T16:35:31.807301-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.814266-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.814670-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.815443-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.815770-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Client type: 0 (subtype: 0) 2021-08-20T16:35:31.815781-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Input Realm: (null) (default realm id: 3) username: ABToledo@teste.com 2021-08-20T16:35:31.816041-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Realm not specified, default goes to remote LDAP, id: 1 2021-08-20T16:35:31.816415-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.816424-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Strip off domain/realm postfix 'qualicorp.com.br' in username 'ABToledo@teste.com' 2021-08-20T16:35:31.816635-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Remote ldap user 'ABToledo' may be a remote admin, try to load admin config in local database 2021-08-20T16:35:31.817094-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: User 'ABToledo' should be a remote admin, try to load its config from DB 2021-08-20T16:35:31.817319-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: User 'ABToledo' is not found in DB as a remote RADIUS admin 2021-08-20T16:35:31.817539-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: User 'ABToledo' is a remote ldap admin 2021-08-20T16:35:31.817972-03:00 PRDFAC-FNT-A radiusd[3903]: (179) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.818003-03:00 PRDFAC-FNT-A radiusd[3903]: (179) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.818016-03:00 PRDFAC-FNT-A radiusd[3903]: (179) eap: Expiring EAP session with state 0x17c49a1e10ea97ee 2021-08-20T16:35:31.818023-03:00 PRDFAC-FNT-A radiusd[3903]: (179) eap: Finished EAP session with state 0x8839eb508e57e650 2021-08-20T16:35:31.818032-03:00 PRDFAC-FNT-A radiusd[3903]: (179) eap: Previous EAP request found for state 0x8839eb508e57e650, released from the list 2021-08-20T16:35:31.818051-03:00 PRDFAC-FNT-A radiusd[3903]: (179) eap: EAP session adding &reply:State = 0x8839eb508f56e650 2021-08-20T16:35:31.818065-03:00 PRDFAC-FNT-A radiusd[3903]: (179) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.818075-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Sent Access-Challenge Id 121 from 10.45.14.40:1812 to 10.49.1.129:20124 length 0 2021-08-20T16:35:31.818081-03:00 PRDFAC-FNT-A radiusd[3903]: (179) EAP-Message = 0x016f00060d00 2021-08-20T16:35:31.818087-03:00 PRDFAC-FNT-A radiusd[3903]: (179) Message-Authenticator = 0x00000000000000000000000000000000 2021-08-20T16:35:31.818090-03:00 PRDFAC-FNT-A radiusd[3903]: (179) State = 0x8839eb508f56e650f7b42b22f3ec8a91 2021-08-20T16:35:31.829878-03:00 PRDFAC-FNT-A radiusd[3903]: Waking up in 0.6 seconds. 2021-08-20T16:35:31.829932-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Received Access-Request Id 122 from 10.49.1.129:20124 to 10.45.14.40:1812 length 1729 2021-08-20T16:35:31.829943-03:00 PRDFAC-FNT-A radiusd[3903]: (180) User-Name = "ABToledo@qteste.com" 2021-08-20T16:35:31.829948-03:00 PRDFAC-FNT-A radiusd[3903]: (180) NAS-IP-Address = 0.0.0.0 2021-08-20T16:35:31.829954-03:00 PRDFAC-FNT-A radiusd[3903]: (180) NAS-Identifier = "10.49.1.10/5246-Qlc-Corporativo" 2021-08-20T16:35:31.829959-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Called-Station-Id = "D4-76-A0-46-9F-48:Qlc-Corporativo" 2021-08-20T16:35:31.829966-03:00 PRDFAC-FNT-A radiusd[3903]: (180) NAS-Port-Type = Wireless-802.11 2021-08-20T16:35:31.829972-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Service-Type = Framed-User 2021-08-20T16:35:31.829977-03:00 PRDFAC-FNT-A radiusd[3903]: (180) NAS-Port = 1 2021-08-20T16:35:31.829981-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Fortinet-SSID = "Qlc-Corporativo" 2021-08-20T16:35:31.829985-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Fortinet-AP-Name = "ap_vila_olimpia_01" 2021-08-20T16:35:31.829989-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Calling-Station-Id = "5C-CD-5B-51-0B-03" 2021-08-20T16:35:31.829994-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11AC" 2021-08-20T16:35:31.829998-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Acct-Session-Id = "611FE546000000BB" 2021-08-20T16:35:31.830003-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Acct-Multi-Session-Id = "422E105E5406896B" 2021-08-20T16:35:31.830008-03:00 PRDFAC-FNT-A radiusd[3903]: (180) WLAN-Pairwise-Cipher = 1027076 2021-08-20T16:35:31.830013-03:00 PRDFAC-FNT-A radiusd[3903]: (180) WLAN-Group-Cipher = 1027076 2021-08-20T16:35:31.830018-03:00 PRDFAC-FNT-A radiusd[3903]: (180) WLAN-AKM-Suite = 1027073 2021-08-20T16:35:31.830023-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Framed-MTU = 1400 2021-08-20T16:35:31.830035-03:00 PRDFAC-FNT-A radiusd[3903]: (180) EAP-Message = 0x026f05690d00657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e74864a687474703a2f2f7375626f7264696e6174655f63612e677275706f2e7175616c69636f72702f43657274456e726f6c6c2f5175616c69636f7270253230526f6f7425323043412e63726c3082014006082b06010505070101048201323082012e3081b806082b060105050730028681ab6c6461703a2f2f2f434e3d5175616c69636f7270253230526f6f7425323043412c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d677275706f2c44433d7175616c69636f72703f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479307106082b060105050730028665687474703a2f2f73 2021-08-20T16:35:31.830041-03:00 PRDFAC-FNT-A radiusd[3903]: (180) State = 0x8839eb508f56e650f7b42b22f3ec8a91 2021-08-20T16:35:31.830045-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Message-Authenticator = 0xb54679edc81860423e91605393bd89f4 2021-08-20T16:35:31.830053-03:00 PRDFAC-FNT-A radiusd[3903]: (180) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.830094-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: ===>NAS IP:10.49.1.129 2021-08-20T16:35:31.830105-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: ===>Username:ABToledo@teste.com 2021-08-20T16:35:31.830112-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: ===>Timestamp:1629488131.829767, age:0ms 2021-08-20T16:35:31.830445-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.831242-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.831582-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.832345-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.832655-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Client type: 0 (subtype: 0) 2021-08-20T16:35:31.832664-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Input Realm: (null) (default realm id: 3) username: ABToledo@teste.com 2021-08-20T16:35:31.832915-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Realm not specified, default goes to remote LDAP, id: 1 2021-08-20T16:35:31.833256-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.833265-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Strip off domain/realm postfix 'qualicorp.com.br' in username 'ABToledo@teste.com' 2021-08-20T16:35:31.833467-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Remote ldap user 'ABToledo' may be a remote admin, try to load admin config in local database 2021-08-20T16:35:31.833878-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: User 'ABToledo' should be a remote admin, try to load its config from DB 2021-08-20T16:35:31.834086-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: User 'ABToledo' is not found in DB as a remote RADIUS admin 2021-08-20T16:35:31.834281-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: User 'ABToledo' is a remote ldap admin 2021-08-20T16:35:31.834619-03:00 PRDFAC-FNT-A radiusd[3903]: (180) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.834643-03:00 PRDFAC-FNT-A radiusd[3903]: (180) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.834656-03:00 PRDFAC-FNT-A radiusd[3903]: (180) eap: Expiring EAP session with state 0x17c49a1e10ea97ee 2021-08-20T16:35:31.834665-03:00 PRDFAC-FNT-A radiusd[3903]: (180) eap: Finished EAP session with state 0x8839eb508f56e650 2021-08-20T16:35:31.834671-03:00 PRDFAC-FNT-A radiusd[3903]: (180) eap: Previous EAP request found for state 0x8839eb508f56e650, released from the list 2021-08-20T16:35:31.835643-03:00 PRDFAC-FNT-A radiusd[3903]: rlm_eap_tls: Certificate passed CRL check. 2021-08-20T16:35:31.836123-03:00 PRDFAC-FNT-A radiusd[3903]: fn_eap_tls.c: Verifying remote LDAP user cert binding (user: abtoledo, ldap id: 1) 2021-08-20T16:35:31.837359-03:00 PRDFAC-FNT-A radiusd[3903]: rlm_eap_tls: Certificate binding check succeeded. (CN=Anderson Alves Bueno de Toledo, Issuer=/DC=teste/DC=com/CN= Teste Intermediate CA) 2021-08-20T16:35:31.837957-03:00 PRDFAC-FNT-A radiusd[3903]: rlm_eap_tls: Certificate passed CRL check. 2021-08-20T16:35:31.838369-03:00 PRDFAC-FNT-A radiusd[3903]: (180) eap: EAP session adding &reply:State = 0x8839eb508049e650 2021-08-20T16:35:31.838389-03:00 PRDFAC-FNT-A radiusd[3903]: (180) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.838399-03:00 PRDFAC-FNT-A radiusd[3903]: (180) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" 2021-08-20T16:35:31.838404-03:00 PRDFAC-FNT-A radiusd[3903]: (180) TLS-Session-Version = "TLS 1.2" 2021-08-20T16:35:31.838414-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Sent Access-Challenge Id 122 from 10.45.14.40:1812 to 10.49.1.129:20124 length 0 2021-08-20T16:35:31.838423-03:00 PRDFAC-FNT-A radiusd[3903]: (180) EAP-Message = 0x0170003d0d80000000331403030001011603030028edd5c1a035f9ce8c87ea3d2880dfa1d6b7c1d667989a2acdafa4ac1d9ac7fd37a19808510af7a0e7 2021-08-20T16:35:31.838428-03:00 PRDFAC-FNT-A radiusd[3903]: (180) Message-Authenticator = 0x00000000000000000000000000000000 2021-08-20T16:35:31.838432-03:00 PRDFAC-FNT-A radiusd[3903]: (180) State = 0x8839eb508049e650f7b42b22f3ec8a91 2021-08-20T16:35:31.850445-03:00 PRDFAC-FNT-A radiusd[3903]: Waking up in 0.6 seconds. 2021-08-20T16:35:31.850514-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Received Access-Request Id 123 from 10.49.1.129:20124 to 10.45.14.40:1812 length 340 2021-08-20T16:35:31.850522-03:00 PRDFAC-FNT-A radiusd[3903]: (181) User-Name = "ABToledo@teste.com" 2021-08-20T16:35:31.850527-03:00 PRDFAC-FNT-A radiusd[3903]: (181) NAS-IP-Address = 0.0.0.0 2021-08-20T16:35:31.850531-03:00 PRDFAC-FNT-A radiusd[3903]: (181) NAS-Identifier = "10.49.1.10/5246-Qlc-Corporativo" 2021-08-20T16:35:31.850536-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Called-Station-Id = "D4-76-A0-46-9F-48:Qlc-Corporativo" 2021-08-20T16:35:31.850541-03:00 PRDFAC-FNT-A radiusd[3903]: (181) NAS-Port-Type = Wireless-802.11 2021-08-20T16:35:31.850547-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Service-Type = Framed-User 2021-08-20T16:35:31.850551-03:00 PRDFAC-FNT-A radiusd[3903]: (181) NAS-Port = 1 2021-08-20T16:35:31.850554-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Fortinet-SSID = "Qlc-Corporativo" 2021-08-20T16:35:31.850558-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Fortinet-AP-Name = "ap_vila_olimpia_01" 2021-08-20T16:35:31.850562-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Calling-Station-Id = "5C-CD-5B-51-0B-03" 2021-08-20T16:35:31.850581-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Connect-Info = "CONNECT 5/5Mbps(Tx/Rx) 11AC" 2021-08-20T16:35:31.850602-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Acct-Session-Id = "611FE546000000BB" 2021-08-20T16:35:31.850608-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Acct-Multi-Session-Id = "422E105E5406896B" 2021-08-20T16:35:31.850614-03:00 PRDFAC-FNT-A radiusd[3903]: (181) WLAN-Pairwise-Cipher = 1027076 2021-08-20T16:35:31.850619-03:00 PRDFAC-FNT-A radiusd[3903]: (181) WLAN-Group-Cipher = 1027076 2021-08-20T16:35:31.850624-03:00 PRDFAC-FNT-A radiusd[3903]: (181) WLAN-AKM-Suite = 1027073 2021-08-20T16:35:31.850633-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Framed-MTU = 1400 2021-08-20T16:35:31.850638-03:00 PRDFAC-FNT-A radiusd[3903]: (181) EAP-Message = 0x027000060d00 2021-08-20T16:35:31.850642-03:00 PRDFAC-FNT-A radiusd[3903]: (181) State = 0x8839eb508049e650f7b42b22f3ec8a91 2021-08-20T16:35:31.850647-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Message-Authenticator = 0xa38e1ef42b16eaa2543fa1aa5843394d 2021-08-20T16:35:31.850658-03:00 PRDFAC-FNT-A radiusd[3903]: (181) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.850706-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: ===>NAS IP:10.49.1.129 2021-08-20T16:35:31.850715-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: ===>Username:ABToledo@teste.com 2021-08-20T16:35:31.850723-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: ===>Timestamp:1629488131.850374, age:0ms 2021-08-20T16:35:31.851133-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.852050-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.852419-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.853156-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.853465-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Client type: 0 (subtype: 0) 2021-08-20T16:35:31.853474-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Input Realm: (null) (default realm id: 3) username: ABToledo@teste.com 2021-08-20T16:35:31.853722-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Realm not specified, default goes to remote LDAP, id: 1 2021-08-20T16:35:31.854074-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.854084-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Strip off domain/realm postfix 'qualicorp.com.br' in username 'ABToledo@teste.com' 2021-08-20T16:35:31.854289-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Remote ldap user 'ABToledo' may be a remote admin, try to load admin config in local database 2021-08-20T16:35:31.854697-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: User 'ABToledo' should be a remote admin, try to load its config from DB 2021-08-20T16:35:31.854907-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: User 'ABToledo' is not found in DB as a remote RADIUS admin 2021-08-20T16:35:31.855111-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: User 'ABToledo' is a remote ldap admin 2021-08-20T16:35:31.855448-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.855472-03:00 PRDFAC-FNT-A radiusd[3903]: (181) # Executing group from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.855484-03:00 PRDFAC-FNT-A radiusd[3903]: (181) eap: Expiring EAP session with state 0x17c49a1e10ea97ee 2021-08-20T16:35:31.855490-03:00 PRDFAC-FNT-A radiusd[3903]: (181) eap: Finished EAP session with state 0x8839eb508049e650 2021-08-20T16:35:31.855499-03:00 PRDFAC-FNT-A radiusd[3903]: (181) eap: Previous EAP request found for state 0x8839eb508049e650, released from the list 2021-08-20T16:35:31.855627-03:00 PRDFAC-FNT-A radiusd[3903]: (181) # Executing section post-auth from file /usr/etc/raddb/sites-enabled/default 2021-08-20T16:35:31.855650-03:00 PRDFAC-FNT-A radiusd[3903]: (181) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite

  • -> 'ECDHE-RSA-AES256-GCM-SHA384' 2021-08-20T16:35:31.855656-03:00 PRDFAC-FNT-A radiusd[3903]: (181) &reply::TLS-Session-Version += &session-state:TLS-Session-Version
  • -> 'TLS 1.2' 2021-08-20T16:35:31.855666-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: EAP authentication success - add configured radius attributes to response 2021-08-20T16:35:31.855674-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: ===>NAS IP:10.49.1.129 2021-08-20T16:35:31.855681-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.856424-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.856739-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authclient from preloaded authclients list for 10.49.1.129: WIFI_Corp_Vila_Olimpia (10.49.1.129) 2021-08-20T16:35:31.857448-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Found authpolicy 'WIFI_CORP' for client '10.49.1.129' 2021-08-20T16:35:31.857767-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Client type: 0 (subtype: 0) 2021-08-20T16:35:31.857776-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Input Realm: (null) (default realm id: 3) username: ABToledo@teste.com 2021-08-20T16:35:31.858018-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Realm not specified, default goes to remote LDAP, id: 1 2021-08-20T16:35:31.858346-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.858360-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Strip off domain/realm postfix 'qualicorp.com.br' in username 'ABToledo@teste.com' 2021-08-20T16:35:31.858558-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Remote ldap user 'ABToledo' may be a remote admin, try to load admin config in local database 2021-08-20T16:35:31.858956-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: User 'ABToledo' should be a remote admin, try to load its config from DB 2021-08-20T16:35:31.859161-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: User 'ABToledo' is not found in DB as a remote RADIUS admin 2021-08-20T16:35:31.859349-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: User 'ABToledo' is a remote ldap admin 2021-08-20T16:35:31.859670-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Loaded remote ldap (regular bind) 10.45.1.18:389 2021-08-20T16:35:31.859953-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Searching for groups for username ABToledo 2021-08-20T16:35:31.860742-03:00 PRDFAC-FNT-A radiusd[3903]: (181) facauth: Updated auth log 'ABToledo@teste.com': 802.1x authentication successful 2021-08-20T16:35:31.860770-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Sent Access-Accept Id 123 from 10.45.14.40:1812 to 10.49.1.129:20124 length 0 2021-08-20T16:35:31.860780-03:00 PRDFAC-FNT-A radiusd[3903]: (181) MS-MPPE-Recv-Key = 0x4e264c8b981f5ddbfd9ff11526aae8e00897dfabc8a444b90703e959bdf8e576 2021-08-20T16:35:31.860784-03:00 PRDFAC-FNT-A radiusd[3903]: (181) MS-MPPE-Send-Key = 0x1f82d98b8e57f9c27268e1b2fe43e8ef7ecb527604a459c828cb71a98d6a6270 2021-08-20T16:35:31.860789-03:00 PRDFAC-FNT-A radiusd[3903]: (181) EAP-Message = 0x03700004 2021-08-20T16:35:31.860793-03:00 PRDFAC-FNT-A radiusd[3903]: (181) Message-Authenticator = 0x00000000000000000000000000000000 2021-08-20T16:35:31.860799-03:00 PRDFAC-FNT-A radiusd[3903]: (181) User-Name = "ABToledo@teste.com"

    • 2361
    0 Kudos
    xsilver_FTNT
    Staff
    Staff
    In response to raphaejaoliveira

    Created on ‎09-20-2021 04:57 AM

    Hi sorry for later response but log seems to be clear .. auth success within one sec.

     

    If I check State values than:

    First Access-Request 121 (at 2021-08-20T16:35:31.806736) generated Access-Challenge 121.

    That was responded by Access-Request 122, but generated another Access-Challenge 122.

    Which was responded by Access-Request 123.

    And that one was responded with Access-Accept Id 123 (at 2021-08-20T16:35:31.860770).

     

    Summary.

    AR 2021-08-20T16:35:31.806736

    AA 2021-08-20T16:35:31.860770

    diff = 0.054034 sec

     

    I do not see any problem.

    Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
    AAA, MFA, VoIP and other Fortinet stuff

    2361
    0 Kudos
    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.