Radius Authentication - unwanted machine authentication

alladas · ‎11-27-2017

We use Forti Authenticator as a radius server for our wireless authentication. I did give the realm and in the query elements under Remote auth. servers -> LDAP as user authentication attributes. For some reason, the authenticator is also checking for machine authentication and getting failed. This machine authentication logs are being piled up increasing the memory usage to over 95% which is slowing down the authenticator performance.

We had to reboot the authenticator couple of times in 2 weeks span just because of the over memory utilization. Can someone help me figure the issue and not allow the authenticator to try checking for machine authentication?

Carl_Windsor_FTNT · ‎11-29-2017

Handy hint when it comes to sniffing RADIUS. You can put your shared secret into Wireshark and it will use this to decode the packets:

Dr. Carl Windsor Field Chief Technology Officer Fortinet

View solution in original post

xsilver_FTNT · ‎11-28-2017

Hi,

it seems to me that you might do 802.1x EAP authentication and the clients' (workstation) supplicant sends machine auth info (AFAIK Windows does this by default).

Those auth requests are probably through chosen realm sent to outer auth server like AD/DC, probably via another RADIUS or LDAP.

Those requests probably get stalled and unresponded by that 3rd party server, causing FortiAuthenticator (FAC) to wait for response for too long and keep auth sessions open, stacking them up.

Check the packet capture and logs on FAC to confirm your setup and behavior.

If above is the case I would suggest to do following on FAC:

---

(If remote realm is another RADIUS)

- check FAC > GUI > Authentication > General > User Account Policies > "Discard stale RADIUS authentication requests"

(if remote realm is LDAP)

- default is 60 which is way too long (changed in newer FAC), so set to some 5-10 sec following .. FAC > GUI > Authentication > Remote Auth. Servers > General > "LDAP Server Response Timeout:"

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

alladas · ‎11-28-2017

Thank you for your response. The issue is that FAC should not try to authenticate the machine authentication in any way. As per your suggestion, the response time only reduces the time period for open authentication sessions but do not get rid of the issue.

correct me if I'm wrong.

xsilver_FTNT · ‎11-29-2017

If you do 802.1x auth, then it is most probably the workstation who is telling to FAC, "Hey my machine is XYZ and I'd like to authenticate as such.", and FAC is just passing that auth info to back-end DC/LDAP. For that you probably has "Windows Active Directory Domain Authentication" in LDAP config.

That seems to me as most probable origin of the machine auth done/tried.

But sniff the traffic of RADIUS Access-Request packets to see on your own.

Second, timers, yes, they do not prevent machine authentication at all.

But if your NPS/DC/LDAP is set to ignore those request instead of reject those clearly, then FAC has no way how to tell if auth is gonna pass or fail. So FAC is forced to wait.

By timers you just reduce the amount of 'patience' the FAC will have with LDAP while waiting for response. As result FAC will terminate the queries and auth attempts sooner. Preventing the requests from stockpiling too much.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Carl_Windsor_FTNT · ‎11-29-2017

Handy hint when it comes to sniffing RADIUS. You can put your shared secret into Wireshark and it will use this to decode the packets:

Dr. Carl Windsor Field Chief Technology Officer Fortinet