Hot!FortiOS 6.0.1 Radius Wifi authentication

Author
JaapHoetmer
Bronze Member
  • Total Posts : 56
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/08/09 02:06:53
  • Location: Geneva, Switzerland
  • Status: offline
2018/11/01 03:00:21 (permalink)
0

FortiOS 6.0.1 Radius Wifi authentication

Hi all,
 
One of our customers has a FortiGate 100D running FortiOS 6.0.1, as well as several FortiAP antennas. We are experiencing problems with WPA2-Enterprise authentication using Radius on a Windows server (2008 R2).
 
This has worked before, so we suspect the issue was introduced with a recent upgrade to FortiOS 6.0.1.
 
The authentication used is MSCHAPv2.
 
No mobile device can connect to the SSID protected with WPA2-Enterprise. On a Windows 10 machine the wireless connection attempt, after providing username and password, simply says 'Unable to connect to this network'.
 
The Windows Event Viewer shows a security audit failure, stating that a request was attempted using PEAP, and the request is stopped at the connection request policy because the server doesn't understand it (The message received was unexpected or badly formatted):
 
Authentication Details:
    Connection Request Policy Name:    rsso-wifi
    Network Policy Name:        -
    Authentication Provider:        Windows
    Authentication Server:        FCDCS01.FC2.local
    Authentication Type:        PEAP
    EAP Type:            -
    Account Session Identifier:        35424144433941352D3030303232374636
    Logging Results:            Accounting information was written to the local log file.
    Reason Code:            266
    Reason:                The message received was unexpected or badly formatted.


 
Now when I try to execute a diag test authserver radius <servername> mschap2 <username> <password> from the firewall, the request is successful, and the event viewer shows a correct message granting access. The authentication type is correctly shown as MSCHAPv2:
 
Authentication Details:
 Connection Request Policy Name: rsso-wifi
 Network Policy Name: Connections to other access servers
 Authentication Provider: Windows
 Authentication Server: FCDCS01.FC2.local
 Authentication Type: MS-CHAPv2
 EAP Type: -
 Account Session Identifier: 3462623464343239

Quarantine Information:
 Result: Full Access
 Extended-Result: -
 Session Identifier: -
 Help URL: -
 System Health Validator Result(s): -


I suspect the Fortigate is not sending requests received from the mobile devices to the Radius server correctly. We couldn't find this particular problem in the release notes of versions 6.0.2 and 6.0.3, so we are not sure an upgrade would resolve this issue.
 
Does anybody have any further information or suggestion?
 
Thanks, much appreciated.
Jaap

Kind regards,

Jaap
#1

1 Reply Related Threads

    mfawaz
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/24 12:01:13
    • Status: offline
    Re: FortiOS 6.0.1 Radius Wifi authentication 2019/07/24 13:01:11 (permalink)
    0
    Hello,
     
    Did you ever figure out a solution to this issue?
     
    Thank you,
     
    Mike
    #2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5