Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amrit
Staff
Staff

Created on ‎08-28-2023 09:25 PM

Article Id 270837

Technical Tip: FortiGate WSSO SSID Authentication Local Vs Radius

Description This article describes that WSSO SSID users fail to authenticate when using a local group with a Radius server but can authenticate directly with Radius server authentication.
Scope FortiGate v6.x.x and v7.x.x.
Solution

Example:

FortiGate uses authentication protocol Ms-Chap-v2 to connect with the Radius server and EAP is enabled on the NPS server:

 

Radius Server Proto.JPG

 NPS.JPG

 

SSID authentication.JPG

 

on FortiGate CLI:

 

diag debug app fnbamd -1

diag debug en 

 

[587] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'DC-RADIUS' for usergroup 'WiFi' (4)
[342] fnbamd_create_radius_socket-Opened radius socket 12
[342] fnbamd_create_radius_socket-Opened radius socket 13
[1394] fnbamd_radius_auth_send-Compose RADIUS request
[1351] fnbamd_rad_dns_cb-10.10.10.1->10.10.10.1
[1323] __fnbamd_rad_send-Sent radius req to server 'DC-RADIUS': fd=12, IP=10.10.10.1(10.10.10.1:1812) code=1 id=57 len=145 user="smi_domain\noah_quercia" using PAP
[319] radius_server_auth-Timer of rad 'DC-RADIUS' is added
[754] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1034] __fnbamd_cfg_get_ldap_list_by_group-
[1150] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 0
[491] ldap_start-Didn't find ldap servers
[633] create_auth_session-Total 1 server(s) to try
[1360] fnbamd_auth_handle_radius_result-Timer of rad 'DC-RADIUS' is deleted
[1802] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3
[1385] fnbamd_auth_handle_radius_result-->Result for radius svr 'DC-RADIUS' 10.10.10.1(1) is 1
[216] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 439369947, len=3172
[789] destroy_auth_session-delete session 439369947

 

In the above debugs, Fortigate still uses PAP for the Local Group even when  MS-Chap-v2 is configured on the Radius server settings. Due to this users are unable to authenticate.

 

FortiGate does not force the authentication protocol for SSID authentication. PEAP authentication needs to be enabled on the end devices. If the end user is a Windows PC, it is necessary to enable EAP-MSCHAP-v2 in the wireless network security of the PC.

 

Related article:

Configuring WiFi with WSSO using Windows NPS and user groups
359
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.