Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jmarketesg
New Contributor

FortiAuthenticator as radius for wpa2 enterprise

We setup a FAC about a month ago and we are using it for two factor VPN with mobile foritokens and Fortinet firewalls. We have it setup to authenticate VPN users using LDAP (active directory). I am now trying to use it to authenticate users for a wireless network WPA Enterprise. I have setup a new SSID on our UniFi access points and pointed it to the FAC as the radius server for authentication. I also setup a new radius client on the FAC for the UniFi APs. I am able to authenticate if I setup the radius client for local authentication and use a local user on the FAC. The problem I have is when I try to authenticate to active directory. We are just trying to authenticate the user credentials without any certificates. When configuring the network settings on the client computers they are setup to use PEAP/Mschapv2 for user authentication and not to validate server identity via certificate. I think the mschapv2 might be causing the issue and not sure how to resolve it. I did some testing with NTRadPing and have included results below. I think by default it uses PAP which seems to work but when I choose CHAP it fails also.

 

Connection success

Radius setup for local auth, no EAP types selected, logging in via NTRadPing

Radius setup for local auth, PEAP selected,  logging in via NTRadPing

Radius setup for local auth, PEAP selected,  logging in via wifi client

Radius setup for ldap auth, no EAP types selected,  logging in via NTRadPing

Radius setup for ldap auth, PEAP selected,  logging in via NTRadPing

 

 

Connections fails

Radius setup for ldap auth, any EAP types, and the wifi client

Radius setup for ldap auth, any EAP types, NTRadPing if selecting CHAP

 

Appreciate any help

 

Thanks

1 REPLY 1
jmarketesg
New Contributor

I was able to get some logging from the unifi access pointn as I was testing the authentication. Here is what was returned in the log.

 

Mar 28 15:52:13 WAP281-2-44 daemon.warn hostapd: ath3: STA a0:af:bd:8a:35:c2 IEEE 802.1X: could not extract EAP-Message from RADIUS message Mar 28 15:52:13 WAP281-2-44 daemon.warn hostapd: ath3: STA a0:af:bd:8a:35:c2 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Mar 28 15:52:13 WAP281-2-44 user.info syslog: wevent.ubnt_custom_event(): EVENT_STA_LEAVE ath3: a0:af:bd:8a:35:c2 / 1 Mar 28 15:52:18 WAP281-2-44 daemon.info hostapd: ath3: STA a0:af:bd:8a:35:c2 IEEE 802.11: deauthenticated due to local deauth request

 

Thanks

Labels
Top Kudoed Authors