Fortinet white logo
Fortinet white logo

Cookbook

Results

Results

  1. In the Odyssey Access Client Manager, select Connect to the network. Once connected, the Status should show as open and authenticated.
  2. The authentication flow should initiate as soon as the supplicant makes a connection request.

  3. Using tcpdump, FortiAuthenticator shows receipt of an incoming authentication request (tcpdump host 10.1.2.27 -nnvvXs):
  4. 02:04:09.790423 IP (tos Ox0, ttl 64, id 9792, offset 0, flags [none], proto UDP (17), length 178)

    10.1.2.27.1025 > 10.1.2.29.1812: [udp sum ok] RADIUS, length: 150

    Access-Request (1), id: Ox9c, Authenticator: 874c50b16efbb87e593a5851e8361f10

    User-Name Attribute (1), length: 6, Value: kash

    0x0000: 6b61 7368

    NAS-IP-Address Attribute (4), length: 6, Value: 0.0.0.0

    0x0000: 0000 0000

    NAS-Port Attribute (5), length: 6, Value: 0

    0x0000: 0000 0000

    Called-Station-Id Attribute (30), length: 28, Value: 88-DC-96-27-72-6B:fortinet

    0x0000: 3838 2d44 432d 3936 2d32 372d 3732 2d36

    0x0010: 423a 666f 7274 696e 6574

    Calling-Station-Id Attribute (31), length: 19, Value: 00-26-C6-6A-E6-B2

    0x0000: 3030 2d32 362d 4336 2d36 412d 4536 2d42

    0x0010: 32

    Framed-MTU Attribute (12), length: 6, Value: 1400

    0x0000: 0000 0578

    NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11

    0x0000: 0000 0013

    Connect-Info Attribute (77), length: 24, Value: CONNECT 11Mbps 802.11b

    0x0000: 434f 4e4e 4543 5420 3131 4d62 7073 2038

    0x0010: 3032 2e31 3162

  5. Continuing with tcpdump, Access-Challenge is issued from FortiAuthenticator to the FortiWiFi:
  6. 01:09:34.679881 IP (tos Ox0, ttl 64, id 58896, offset 0, flags [none], proto UDP (17), length 108)

    10.1.2.29.1812 > 10.1.2.27.1025: [bad udp cksum 0xl8a3 -> 0xbd921] RADIUS, length: 80

    Access-Challenge (11), id: 0x9c, Authenticator: c67b8d0f8805db68e57e9757deda20d0

    EAP-Message Attribute (79), length: 24, Value: ..

    0x0000: 0101 0016 0410 8b8c ae75 4696 0a47 96fd

    0x0010: 7c26 528a 097e

    Message-Authenticator Attribute (80), length: 18, Value: ..... 1.!.q._.*[.

    0x0000: @ad flfd e931 1321 f571 f85f dl2a Sbd3

    State Attribute (24), length: 18, Value: .!&.. "..9[~....

    0x0000: ad21 2611 ad20 22e2 e539 5b7e 94e2 9a87

    The next 14 messages are Challenge->Request EAP transactions between the FortiAuthenticator and the FortiWiFi.

  7. Access-Accept message with RADIUS attributes are returned to the FortiWiFi:
  8. 2:04:10.000998 IP (tos Ox0, ttl 64, id 44468, offset 0, flags (none), proto UDP (17), length 208)

    10.1.2.29.1812 > 10.1.2.27.1025: (bad udp cksum 0x1918 0x77e9I) RADIUS, length: 180

    Access-Accept (2), id: Ox7d, Authenticator: 144538f6ifd7f4b12d768e76f05709ae2

    Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)

    Vendor Attribute: 17, Length: 50, Value: ..S.|..W...^.. ..h0p.U..~..{. P..|b7"............s..

    0x0000: 0000 0137 1134 80e3 aefl 65e0 1383 c34e

    0x0010: 413d 4Sbd 350d 39be ac79 04b8 90fa 1551

    0x0020: a4b7 10d3 09b6 f902 5e52 3d69 b3b4 216a

    0x0030: b48f 0ef2 0c08 9cd0

    Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)

    Vendor Attribute: 16, Length: 50, Value: .t._M.,...a...a.JhFz5.....2.;".."...D.y.=..{./..?.

    0x0000: 0000 0137 1034 8883 7a9b bllb 9488 f181

    0x0010: d179 29ba 7538 lleb 8311 3c22 1b62 9176

    0x0020: d0be f763 4617 670c d8ca 8659 7a14 dl2c

    0x0030: 8064 5955 942b ccla

    EAP-Message Attribute (79), length: 6, Value: ..

    0x0000: 0307 0004

    Message-Authenticator Attribute (80), length: 18, Value: .c.b..m.G.ZH.'.6

    0x0000: 9aec 02c0 3e6b af8e defb 8020 e50b 0728

    User-Name Attribute (1), length: 6, Value: kash

    0x0000: 6b61 7368

    Vendor-Specific Attribute (26), length: 14, Value: Vendor: Fortinet (12356)

    Vendor Attribute: 1, Length: 6, Value: VLAN10

    0x0000: 0000 3044 0108 564c 414e 3130

  9. On the FortiAuthenticator, go to Logging > Log Access > Logs to verify the device authentication.
  10. The Debug Log (at https://<fac-ip>/debug/radius) should also confirm successful authentication.

  11. On the FortiWifi, go to WiFi & Switch Controller > Monitor > Client Monitor and note that the group is the RADIUS attribute sent from FortiAuthenticator. Any firewall policy using that group will now be enabled for the user.

Results

Results

  1. In the Odyssey Access Client Manager, select Connect to the network. Once connected, the Status should show as open and authenticated.
  2. The authentication flow should initiate as soon as the supplicant makes a connection request.

  3. Using tcpdump, FortiAuthenticator shows receipt of an incoming authentication request (tcpdump host 10.1.2.27 -nnvvXs):
  4. 02:04:09.790423 IP (tos Ox0, ttl 64, id 9792, offset 0, flags [none], proto UDP (17), length 178)

    10.1.2.27.1025 > 10.1.2.29.1812: [udp sum ok] RADIUS, length: 150

    Access-Request (1), id: Ox9c, Authenticator: 874c50b16efbb87e593a5851e8361f10

    User-Name Attribute (1), length: 6, Value: kash

    0x0000: 6b61 7368

    NAS-IP-Address Attribute (4), length: 6, Value: 0.0.0.0

    0x0000: 0000 0000

    NAS-Port Attribute (5), length: 6, Value: 0

    0x0000: 0000 0000

    Called-Station-Id Attribute (30), length: 28, Value: 88-DC-96-27-72-6B:fortinet

    0x0000: 3838 2d44 432d 3936 2d32 372d 3732 2d36

    0x0010: 423a 666f 7274 696e 6574

    Calling-Station-Id Attribute (31), length: 19, Value: 00-26-C6-6A-E6-B2

    0x0000: 3030 2d32 362d 4336 2d36 412d 4536 2d42

    0x0010: 32

    Framed-MTU Attribute (12), length: 6, Value: 1400

    0x0000: 0000 0578

    NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11

    0x0000: 0000 0013

    Connect-Info Attribute (77), length: 24, Value: CONNECT 11Mbps 802.11b

    0x0000: 434f 4e4e 4543 5420 3131 4d62 7073 2038

    0x0010: 3032 2e31 3162

  5. Continuing with tcpdump, Access-Challenge is issued from FortiAuthenticator to the FortiWiFi:
  6. 01:09:34.679881 IP (tos Ox0, ttl 64, id 58896, offset 0, flags [none], proto UDP (17), length 108)

    10.1.2.29.1812 > 10.1.2.27.1025: [bad udp cksum 0xl8a3 -> 0xbd921] RADIUS, length: 80

    Access-Challenge (11), id: 0x9c, Authenticator: c67b8d0f8805db68e57e9757deda20d0

    EAP-Message Attribute (79), length: 24, Value: ..

    0x0000: 0101 0016 0410 8b8c ae75 4696 0a47 96fd

    0x0010: 7c26 528a 097e

    Message-Authenticator Attribute (80), length: 18, Value: ..... 1.!.q._.*[.

    0x0000: @ad flfd e931 1321 f571 f85f dl2a Sbd3

    State Attribute (24), length: 18, Value: .!&.. "..9[~....

    0x0000: ad21 2611 ad20 22e2 e539 5b7e 94e2 9a87

    The next 14 messages are Challenge->Request EAP transactions between the FortiAuthenticator and the FortiWiFi.

  7. Access-Accept message with RADIUS attributes are returned to the FortiWiFi:
  8. 2:04:10.000998 IP (tos Ox0, ttl 64, id 44468, offset 0, flags (none), proto UDP (17), length 208)

    10.1.2.29.1812 > 10.1.2.27.1025: (bad udp cksum 0x1918 0x77e9I) RADIUS, length: 180

    Access-Accept (2), id: Ox7d, Authenticator: 144538f6ifd7f4b12d768e76f05709ae2

    Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)

    Vendor Attribute: 17, Length: 50, Value: ..S.|..W...^.. ..h0p.U..~..{. P..|b7"............s..

    0x0000: 0000 0137 1134 80e3 aefl 65e0 1383 c34e

    0x0010: 413d 4Sbd 350d 39be ac79 04b8 90fa 1551

    0x0020: a4b7 10d3 09b6 f902 5e52 3d69 b3b4 216a

    0x0030: b48f 0ef2 0c08 9cd0

    Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)

    Vendor Attribute: 16, Length: 50, Value: .t._M.,...a...a.JhFz5.....2.;".."...D.y.=..{./..?.

    0x0000: 0000 0137 1034 8883 7a9b bllb 9488 f181

    0x0010: d179 29ba 7538 lleb 8311 3c22 1b62 9176

    0x0020: d0be f763 4617 670c d8ca 8659 7a14 dl2c

    0x0030: 8064 5955 942b ccla

    EAP-Message Attribute (79), length: 6, Value: ..

    0x0000: 0307 0004

    Message-Authenticator Attribute (80), length: 18, Value: .c.b..m.G.ZH.'.6

    0x0000: 9aec 02c0 3e6b af8e defb 8020 e50b 0728

    User-Name Attribute (1), length: 6, Value: kash

    0x0000: 6b61 7368

    Vendor-Specific Attribute (26), length: 14, Value: Vendor: Fortinet (12356)

    Vendor Attribute: 1, Length: 6, Value: VLAN10

    0x0000: 0000 3044 0108 564c 414e 3130

  9. On the FortiAuthenticator, go to Logging > Log Access > Logs to verify the device authentication.
  10. The Debug Log (at https://<fac-ip>/debug/radius) should also confirm successful authentication.

  11. On the FortiWifi, go to WiFi & Switch Controller > Monitor > Client Monitor and note that the group is the RADIUS attribute sent from FortiAuthenticator. Any firewall policy using that group will now be enabled for the user.