Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rcpdkc
Contributor II

Created on ‎02-08-2024 11:26 PM

Fortinac Mschap2 Connection

I have SSID verification on fortigate firewall with Fortinac radius. I have a problem like this. Although there is mschapv2 in the radius settings, a user in the domain joins the network without any problems, while the user I created as a guest in the Fortinac interface Credentials Invalid (MSCHAP2) error, what is the reason for this?

 

1.PNG2.PNG

Labels:
712
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to ebilcari

Created on ‎02-23-2024 02:23 AM

There have been some recent changes about this request and if you run the latest version of FNAC in 9.4 or 7.2 now it is possible.

The feature is disabled by default but it can be enabled from CLI running the following command:

> globaloptiontool -name "localRadiusServer.mschapV2LocalUserAuth" -set true

(In case of FNAC-F first run # execute enter)

 

This will add a control in the Add/Edit user view (Under Additional Details) that can be enabled for specific users: "RADIUS - Local Password Validation (MSCHAPv2)"

mschaplocal.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

457
11 REPLIES 11
Sx11
Staff
Staff

Created on ‎02-09-2024 12:50 AM

Hi rcpdkc,

 

have you performed the domain join and enabled winbind?

Winbind is needed in order to perform mschapv2 authentication.

 

Please double-check the steps in the guide and KB below

https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/670285/local-winbind-configur...

https://community.fortinet.com/t5/FortiNAC/Technical-Tip-MSCHAPv2-authentication-join-FortiNAC-in-do...

 

Regards

sx11
593
rcpdkc
Contributor II
In response to Sx11

Created on ‎02-09-2024 02:25 AM

@Sx11 wrote:

Hi rcpdkc,

 

have you performed the domain join and enabled winbind?

Winbind is needed in order to perform mschapv2 authentication.

 

Please double-check the steps in the guide and KB below

https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/670285/local-winbind-configur...

https://community.fortinet.com/t5/FortiNAC/Technical-Tip-MSCHAPv2-authentication-join-FortiNAC-in-do...

 

Regards

In fact, when you make the authentication type TTLS on android devices, fortinac local users are included in the network. However, I could not find how to use TTLS instead of mschap when connecting to a wpa2 network on the ios side.

574
0 Kudos
ebilcari
Staff
Staff
In response to rcpdkc

Created on ‎02-12-2024 01:39 AM

Since MSCHAPv2 uses challenges instead of passwords, FNAC uses Winbind to check these challenges with Active directory. The guest accounts are local accounts in FNAC and there is no procedure in place to check these challenges for the local accounts. It is doable but because this is not a common use case it is not included in FNAC.

EAP-TTLS will use PAP (password) instead of challenges and that's explain why the authentication succeeds in this case.

Since you are manually creating this guest accounts (more like contractors) and you want to use PEAP, than the easiest way is to include these accounts in your AD and limit their privileges.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
490
ebilcari
Staff
Staff
In response to ebilcari

Created on ‎02-23-2024 02:23 AM

There have been some recent changes about this request and if you run the latest version of FNAC in 9.4 or 7.2 now it is possible.

The feature is disabled by default but it can be enabled from CLI running the following command:

> globaloptiontool -name "localRadiusServer.mschapV2LocalUserAuth" -set true

(In case of FNAC-F first run # execute enter)

 

This will add a control in the Add/Edit user view (Under Additional Details) that can be enabled for specific users: "RADIUS - Local Password Validation (MSCHAPv2)"

mschaplocal.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
458
AEK
SuperUser
SuperUser

Created on ‎02-09-2024 01:53 AM

@rcpdkc , I deployed FNAC several times  but honestly I never thought that any company may use WPA2 Enterprise for guests (probably companies that I know don't have this need).

In fact those companies usually have one SSID for Corp users with WPA2 Enterprise,  and another SSID for guests: WPA2, followed by FNAC portal, or even not controlled by FNAC since usually they don't want consume license for guests. In fact by definition for me I don't think guests really need WPA2 Enterprise.

However now as I read your question I think this may exist and should exist. I'll advise if I find something about that.

AEK
AEK
584
rcpdkc
Contributor II
In response to AEK

Created on ‎02-09-2024 02:21 AM

Actually, what you say is true. It doesn't make sense to consume the licence in this way. Apart from Fortinac, how do you think I can verify? Is there any software or device you can recommend for user registration and login process?

578
0 Kudos
rcpdkc
Contributor II
In response to AEK

Created on ‎02-09-2024 02:27 AM

How can I assign a guest user to quarantine when they join a wi-fi network and then to guest vlana when they authenticate on the fortinac portal

572
0 Kudos
AEK
SuperUser
SuperUser
In response to rcpdkc

Created on ‎02-09-2024 03:34 AM

Regarding guest registration when you don't need to control it with FortiNAC, know that many WLC already has this feature embedded, like FortiGate, Aruba and so.

Regarding your second question, in case some BYOD device can access to Corp WiFi because he has AD credentials, here you can add an access policy to put such device in dead end because actually a BYOD host has nothing to do in Corp SSID. I think this makes sense, right?

That's how companies usually do.

Keep in mind before deploying NAC solution you need to stay with security manager and try build with him the access policies according with their requirements.

AEK
AEK
555
rcpdkc
Contributor II
In response to AEK

Created on ‎02-09-2024 03:59 AM

So where does it make sense to create guest users? Fortinac? Windows ad? Fortigate firewall?

553
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.