Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    5.5.0
    6.5.0
    6.4.0
    6.3.0
    6.2.0
    6.1.0
    6.0.0
    5.5.0

    Results

    Results

    The authentication flow should initiate as soon as the wired computer starts up (while connected to the domain).

    1. Using tcpdump, FortiAuthenticator shows receipt of an Incoming Authentication Request (tcpdump host 10.1.2.27 -nnvvXs):

      2. 01:09:34.674298 IP (tos Ox0, ttl 64, id 40954, offset 0, flags [none], proto UDP (17), length 212)

      10.1.2.27.1025 > 10.1.2.29.1812: [udp sum ok] RADIUS, length: 184

      Access-Request (1), id: 0x76, Authenticator: 4b859401ddb6c0fb95261e99fc8ef66a

      User-Name Attribute (1), length: 23, Value: host/leno.fortiad.net

      0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961

      0x0010: 642e 6e65 74

      NAS-IP-Address Attribute (4), length: 6, Value: 0.0.0.0

      0x0000: 0000 0000

      NAS-Port Attribute (5), length: 6, Value: 0

      0x0000: 0000 0000

      Called-Station-Id Attribute (30), length: 28, Value: 88-DC-96-27-72-68:fortinet

      0x0000: 3838 2d44 432d 3936 2d32 372d 3732 2d36

      0x0010: 423a 666f 7274 696e 6574

      Calling-Station-Id Attribute (31), length: 19, Value: 6C-88-14-C6-3D-58

      0x0000: 3643 2d38 382d 3134 2d43 362d 3344 2d35

      0x0010: 38

      Framed-MTU Attribute (12), length: 6, Value: 1400

      0x0000: 0000 0578

      NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11

      0x0000: 0000 0013

      Connect-Info Attribute (77), length: 24, Value: CONNECT 11Mbps 802.11b

      0x0000: 434f 4e4e 4543 5420 3131 4d62 7073 2038

      0x0010: 3032 2e31 3162

    2. Continuing with tcpdump, Access-Challenge is issued from FortiAuthenticator to the FortiWiFi:

      3. 01:09:34.679881 IP (tos Ox0, ttl 64, id 58896, offset 0, flags [none], proto UDP (17), length 108)

      10.1.2.29.1812 > 10.1.2.27.1025: [bad udp cksum 0xl8a3 -> 0xbe6al) RADIUS, length: 80

      Access-Challenge (11), id: 0x76, Authenticator: a4c016a41e6a0f46c17da49ff813bd6e

      EAP-Message Attribute (79), length: 24, Value: ..

      0x0000: 0101 0016 0410 f23e 13dd 795e 18fa SddS

      0x0010: 3e83 cb34 a99c

      Message-Authenticator Attribute (80), length: 18, Value:

      0x0000: eac9 2509 cbec 6895 804a deac 5de7 d6f8

      State Attribute (24), length: 18, value: *...* .......

      0x0000: 2af7 lbfd 2af6 lfb9 8db9 f1f8 20ad 9cd4

      The next 14 messages are Challenge->Request EAP transactions between the FortiAuthenticator and the FortiWiFi.

    3. Access-Accept message with RADIUS attributes are returned to the FortiWiFi:

      4. 01:09:36.517763 IP (tos Ox0, ttl 64, id 58903, offset 0, flags (none), proto UDP (17), length 225)

      10.1.2.29.1812 > 10.1.2.27.1025: (bad udp cksum 0x1918 0x1f60!) RADIUS, length: 197

      Access-Accept (2), id: Ox7d, Authenticator: 989626b68773ac50c060d8306287984a

      Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)

      Vendor Attribute: 17, Length: 50, Value: ?...e....NA=E.5.9..y........Q ^R=i..!j .........

      0x0000: 0000 0137 1134 80e3 aefl 65e0 1383 c34e

      0x0010: 413d 4Sbd 350d 39be ac79 04b8 90fa 1551

      0x0020: a4b7 10d3 09b6 f902 5e52 3d69 b3b4 216a

      0x0030: b48f 0ef2 0c08 9cd0

      Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)

      Vendor Attribute: 16, Length: 50, Value: z

      0x0000: 0000 0137 1034 8883 7a9b bllb 9488 f181

      0x0010: d179 29ba 7538 lleb 8311 3c22 1b62 9176

      0x0020: d0be f763 4617 670c d8ca 8659 7a14 dl2c

      0x0030: 8064 5955 942b ccla

      EAP-Message Attribute (79), length: 6, Value: ..

      0x0000: 0307 0004

      Message-Authenticator Attribute (80), length: 18, Value: ....>k....? ...(

      0x0000: 9aec 02c0 3e6b af8e defb 8020 e50b 0728

      User-Name Attribute (1), length: 23, Value: host/leno.fortiad.net

      0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961

      0x0010: 642e 6e65 74 Vendor-Specific Attribute (26), length: 14, Value: Vendor: Fortinet (12356)

      Vendor Attribute: 1, Length: 6, Value: VLAN10

      0x0000: 0000 3044 0108 564c 414e 3130

    4. Post-authentication DHCP transaction is picked up by FortiAuthenticator (tcpdump continued):

      5. 01:09:39.765661 IP (tos 0x0, ttl 64, id 15537, offset 0, flags [none], proto UDP (17), length 300)

      10.1.2.27.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 272, hops 2, xid Ox5a6b3f9e, Flags [none] (0x0000)

      Client-IP 10.1.2.9

      Gateway-IP 10.1.2.27

      Client-Ethernet-Address 6c:88:14:c6:3d:58

      Vendor-rfc1048 Extensions

      Magic Cookie 0x63825363

      DHCP-Message Option 53, length 1: ACK

      Server-ID Option 54, length 4: 10.1.2.1

      Default-Gateway Option 3, length 4: 10.1.2.1

      Domain-Name-Server Option 6, length 8: 212.159.6.9,212.159.6.10

      Time-Zone Option 2, length 4: 3600

    5. On the FortiAuthenticator, go to Logging > Log Access > Logs to verify the device authentication.

      6. The Debug Log (at https://<fac-ip>/debug/radius) should also confirm successful authentication.

    6. On the FortiWifi, go to WiFi & Switch Controller > Monitor > Client Monitor and note that the Group is the RADIUS attribute sent from FortiAuthenticator. Any Firewall policy using that Group will now be enabled for the user.

    Previous
    Next

    Results

    Results

    The authentication flow should initiate as soon as the wired computer starts up (while connected to the domain).

    1. Using tcpdump, FortiAuthenticator shows receipt of an Incoming Authentication Request (tcpdump host 10.1.2.27 -nnvvXs):

      2. 01:09:34.674298 IP (tos Ox0, ttl 64, id 40954, offset 0, flags [none], proto UDP (17), length 212)

      10.1.2.27.1025 > 10.1.2.29.1812: [udp sum ok] RADIUS, length: 184

      Access-Request (1), id: 0x76, Authenticator: 4b859401ddb6c0fb95261e99fc8ef66a

      User-Name Attribute (1), length: 23, Value: host/leno.fortiad.net

      0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961

      0x0010: 642e 6e65 74

      NAS-IP-Address Attribute (4), length: 6, Value: 0.0.0.0

      0x0000: 0000 0000

      NAS-Port Attribute (5), length: 6, Value: 0

      0x0000: 0000 0000

      Called-Station-Id Attribute (30), length: 28, Value: 88-DC-96-27-72-68:fortinet

      0x0000: 3838 2d44 432d 3936 2d32 372d 3732 2d36

      0x0010: 423a 666f 7274 696e 6574

      Calling-Station-Id Attribute (31), length: 19, Value: 6C-88-14-C6-3D-58

      0x0000: 3643 2d38 382d 3134 2d43 362d 3344 2d35

      0x0010: 38

      Framed-MTU Attribute (12), length: 6, Value: 1400

      0x0000: 0000 0578

      NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11

      0x0000: 0000 0013

      Connect-Info Attribute (77), length: 24, Value: CONNECT 11Mbps 802.11b

      0x0000: 434f 4e4e 4543 5420 3131 4d62 7073 2038

      0x0010: 3032 2e31 3162

    2. Continuing with tcpdump, Access-Challenge is issued from FortiAuthenticator to the FortiWiFi:

      3. 01:09:34.679881 IP (tos Ox0, ttl 64, id 58896, offset 0, flags [none], proto UDP (17), length 108)

      10.1.2.29.1812 > 10.1.2.27.1025: [bad udp cksum 0xl8a3 -> 0xbe6al) RADIUS, length: 80

      Access-Challenge (11), id: 0x76, Authenticator: a4c016a41e6a0f46c17da49ff813bd6e

      EAP-Message Attribute (79), length: 24, Value: ..

      0x0000: 0101 0016 0410 f23e 13dd 795e 18fa SddS

      0x0010: 3e83 cb34 a99c

      Message-Authenticator Attribute (80), length: 18, Value:

      0x0000: eac9 2509 cbec 6895 804a deac 5de7 d6f8

      State Attribute (24), length: 18, value: *...* .......

      0x0000: 2af7 lbfd 2af6 lfb9 8db9 f1f8 20ad 9cd4

      The next 14 messages are Challenge->Request EAP transactions between the FortiAuthenticator and the FortiWiFi.

    3. Access-Accept message with RADIUS attributes are returned to the FortiWiFi:

      4. 01:09:36.517763 IP (tos Ox0, ttl 64, id 58903, offset 0, flags (none), proto UDP (17), length 225)

      10.1.2.29.1812 > 10.1.2.27.1025: (bad udp cksum 0x1918 0x1f60!) RADIUS, length: 197

      Access-Accept (2), id: Ox7d, Authenticator: 989626b68773ac50c060d8306287984a

      Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)

      Vendor Attribute: 17, Length: 50, Value: ?...e....NA=E.5.9..y........Q ^R=i..!j .........

      0x0000: 0000 0137 1134 80e3 aefl 65e0 1383 c34e

      0x0010: 413d 4Sbd 350d 39be ac79 04b8 90fa 1551

      0x0020: a4b7 10d3 09b6 f902 5e52 3d69 b3b4 216a

      0x0030: b48f 0ef2 0c08 9cd0

      Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)

      Vendor Attribute: 16, Length: 50, Value: z

      0x0000: 0000 0137 1034 8883 7a9b bllb 9488 f181

      0x0010: d179 29ba 7538 lleb 8311 3c22 1b62 9176

      0x0020: d0be f763 4617 670c d8ca 8659 7a14 dl2c

      0x0030: 8064 5955 942b ccla

      EAP-Message Attribute (79), length: 6, Value: ..

      0x0000: 0307 0004

      Message-Authenticator Attribute (80), length: 18, Value: ....>k....? ...(

      0x0000: 9aec 02c0 3e6b af8e defb 8020 e50b 0728

      User-Name Attribute (1), length: 23, Value: host/leno.fortiad.net

      0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961

      0x0010: 642e 6e65 74 Vendor-Specific Attribute (26), length: 14, Value: Vendor: Fortinet (12356)

      Vendor Attribute: 1, Length: 6, Value: VLAN10

      0x0000: 0000 3044 0108 564c 414e 3130

    4. Post-authentication DHCP transaction is picked up by FortiAuthenticator (tcpdump continued):

      5. 01:09:39.765661 IP (tos 0x0, ttl 64, id 15537, offset 0, flags [none], proto UDP (17), length 300)

      10.1.2.27.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 272, hops 2, xid Ox5a6b3f9e, Flags [none] (0x0000)

      Client-IP 10.1.2.9

      Gateway-IP 10.1.2.27

      Client-Ethernet-Address 6c:88:14:c6:3d:58

      Vendor-rfc1048 Extensions

      Magic Cookie 0x63825363

      DHCP-Message Option 53, length 1: ACK

      Server-ID Option 54, length 4: 10.1.2.1

      Default-Gateway Option 3, length 4: 10.1.2.1

      Domain-Name-Server Option 6, length 8: 212.159.6.9,212.159.6.10

      Time-Zone Option 2, length 4: 3600

    5. On the FortiAuthenticator, go to Logging > Log Access > Logs to verify the device authentication.

      6. The Debug Log (at https://<fac-ip>/debug/radius) should also confirm successful authentication.

    6. On the FortiWifi, go to WiFi & Switch Controller > Monitor > Client Monitor and note that the Group is the RADIUS attribute sent from FortiAuthenticator. Any Firewall policy using that Group will now be enabled for the user.

    Previous
    Next