FortiAP 221C + FortiGATE 500D Radius authentication

Gianpiero_Mirabella · ‎06-16-2015

Hi,

I have an issue with RADIUS authentication between the 2 devices in subject and a RADIUS server on Windows 2008.

I`ve configured this on the fortigate:

config wireless-controller vap

edit vap1

set radius-mac-auth

enable set radius-mac-auth-server 192.168.1.95

end

And on the Windows side I`ve configured NPS like this:

And configured usernames as MAC address in several syntaxes

i.e. xxxxxxxxxxxx

XXXXXXXXXXXX

xx-xx-xx-xx-xx-xx

XX-XX-XX-XX-XX

Windows gave me this

while fortigate gave me this:

Any advice?

Thanks

wanglei_FTNT · ‎09-03-2015

please also check that the mac address is configured at the right format and case on your radius server

FWF90D3Z13007476 # diagnose test authserver radius 1 pap 2c-f0-ee-2d-f7-e8 2c-f0-ee-2d-f7-e8

authenticate '2c-f0-ee-2d-f7-e8' against 'pap' failed, assigned_rad_session_id=1220685611 session_timeout=0 secs!

FWF90D3Z13007476 # diagnose test authserver radius 1 pap 2C-F0-EE-2D-F7-E8 2C-F0-EE-2D-F7-E8

authenticate '2C-F0-EE-2D-F7-E8' against 'pap' succeeded, server=primary assigned_rad_session_id=1220685614 session_timeout=0 secs!

View solution in original post

VicAndr · ‎09-03-2015

For me your config seems to be fine except this:

config wireless-controller vap edit vap1 set radius-mac-auth enable
set radius-mac-auth-server 192.168.1.95 end

You can't use IP address of RADIUS server here. Instead you have to use its name you have configured on fortigate BEFORE you could actually set it for MAC authentication.

To make sure RADIUS authentication works - you may test it with diag command like this:

diag test authserver radius <name of your RADIUS server> mschap2 cc89fd5523b4 cc89fd5523b4

cc89fd5523b4 here is MAC address of a device (example) registered on RADIUS server.

I am in the similar situation - I need to enable MAC-based authentication for WiFi clients through RADIUS. Despite the fact I set everything "correct" (diag command shows that authentication works) MAC-authentication on actual WiFi network doesn't work - as soon as I enable MAC authentication - WiFi clients could not connect.

Not sure what exactly is wrong. It might be something to do with formatting User Name and Password for MAC accounts on RADIUS server or as simple as yet another bug of FortiOS. I have the same box as yours (FG500D) with FortiOS v5.2.3 on it. What version of firmware you have on yours? Did you manage to actually find a solution?

I opend support case re. this issue with Fortinet - and will update the post when I get some answers.

wanglei_FTNT · ‎09-03-2015

please also check that the mac address is configured at the right format and case on your radius server

FWF90D3Z13007476 # diagnose test authserver radius 1 pap 2c-f0-ee-2d-f7-e8 2c-f0-ee-2d-f7-e8

authenticate '2c-f0-ee-2d-f7-e8' against 'pap' failed, assigned_rad_session_id=1220685611 session_timeout=0 secs!

FWF90D3Z13007476 # diagnose test authserver radius 1 pap 2C-F0-EE-2D-F7-E8 2C-F0-EE-2D-F7-E8

authenticate '2C-F0-EE-2D-F7-E8' against 'pap' succeeded, server=primary assigned_rad_session_id=1220685614 session_timeout=0 secs!

VicAndr · ‎09-08-2015

wanglei@fortinet.com wrote:
please also check that the mac address is configured at the right format and case on your radius server

FWF90D3Z13007476 # diagnose test authserver radius 1 pap 2c-f0-ee-2d-f7-e8 2c-f0-ee-2d-f7-e8
authenticate '2c-f0-ee-2d-f7-e8' against 'pap' failed, assigned_rad_session_id=1220685611 session_timeout=0 secs!

FWF90D3Z13007476 # diagnose test authserver radius 1 pap 2C-F0-EE-2D-F7-E8 2C-F0-EE-2D-F7-E8
authenticate '2C-F0-EE-2D-F7-E8' against 'pap' succeeded, server=primary assigned_rad_session_id=1220685614 session_timeout=0 secs!

Perfect!!! This is an essential piece of knowledge which I couldn't have found anywhere in Fortinet's documents and/or knowledge articles.

Obviously, when you set an account for MAC authentication on a RADIUS server you have to specify two pieces of information for it: User Name and Password.

It is kind of clear - User Name have to be MAC address. But the first question is - how you would actually format this user name to be recognized by a fortigate unit when it verifies the MAC address? Should it be in the form or XXXXXXXXXXXX, or XX:XX:XX:XX:XX:XX or, maybe, XX-XX-XX-XX-XX-XX?

When it comes to password of the account - it becomes even trickier. What should you put as a password there? MAC address as well (again - in what format)? Or some predetermined word ("fortinet" might be a good candidate for a MAC account's password)? Or, perhaps, leaving the password field blank?

Wanglei, you've helped to resolve all those struggles - thank you very-very much!

For those who are going to read this post while looking for solution for their MAC-based WiFi authentication with RADIUS server... When you configure MAC accounts for device authentication on a RADIUS server make sure to configure User Names and passwords equal to each other and set in the following format:

XX-XX-XX-XX-XX-XX

...where symbols (from "a" to "f") are capitalized (meaning - they should be capitals: A,B,C,D,E,F)

Lucascat · ‎09-27-2019

I need help in configuring Windows side NPS.

Where can i find documentation?