Results
The authentication flow should initiate as soon as the wired computer starts up (while connected to the domain).
- Using
tcpdump
, FortiAuthenticator shows receipt of an Incoming Authentication Request (tcpdump host 10.1.2.27 -nnvvXs
): - Continuing with
tcpdump
, Access-Challenge is issued from FortiAuthenticator to the Switch: - Access-Accept message with RADIUS attributes are returned to the Switch:
- Post-authentication DHCP transaction is picked up by FortiAuthenticator (tcpdump continued):
- On the FortiAuthenticator, go to Logging > Log Access > Logs to verify the device authentication.
02:18:48.572998 IP (tos 0x0, ttl 64, id 32483, offset 0, flags [none], proto UDP (17), length 203)
10.1.2.27.60114 > 10.1.2.29.1812: [udp sum ok] RADIUS. length: 175
Access-Request (1), id: 0x4d, Authenticator: 27e45f0edbfa7026318d583ccf915776
User-Name Attribute (11. length: 23. Value: host/leno.fortiad.net
0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961
0x0010: 642e 6e65 74
NAS-Port Attribute (5), length: 6, Value: 71
0x0000: 0000 0047
EAP-Message Attribute (79), length: 28, Value: .
0x0000: 0200 001a 0168 6f73 742f 6c65 6e6f 2e66
0x0010: 6f72 7469 6164 2e6e 6574
Message-Authenticator Attribute (80), length: 18, Value: ...0S2 ....... .M
0x0000: b60f 874f 5332 c9a7 e2f5 d90e 8c20 e64d
Acct-Session-Id Attribute (44), length: 24, Value: 802.1x81fa00370003dd64
0x0000: 384f 322e 3178 3831 6661 3030 3337 3030
0x0010: 3033 6464 3634
NAS-Port-Id Attribute (87), length: 12, Value: ge-0/0/1.0
0x0000: 6765 2d30 2f30 2f31 2e30
Calling-Station-Id Attribute (31), length: 19, Value: 00-22-68-1a-ft-a0
0x0000: 3030 2d32 322d 3638 2d31 612d 6631 2d61
0x0010: 30
Called-Station-Id Attribute (30), length: 19, Value: a8-d0-e5-b0-21-80
0x0000: 6138 2d64 302d 6535 2d62 302d 3231 2d38
0x0010: 30
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
0x0000: 0000 000f
02:18:48.578465 IP (tos 0x0, ttl 64, id 29725, offset 0, flags [none], proto UDP (17), length 108)
10.1.2.29.1812 > 10.1.2.27.60114: [bad udp cksum 0x18a3 -> 0x7f96!] RADIUS, length: 80
Access-Challenge (11), id: 0x4d, Authenticator: 8140836b0192a5ef12630d4d049d05e6
EAP-Message Attribute (79), length: 24, Value: ..
0x0000: 0101 0016 0410 bc6b 992d bbfc 141f 3bbl
0x0010: 1908 2978 2030
Message-Authenticator Attribute (80), length: 18, Value: .#...:&%N.z.7...
0x0000: dc23 d299 Of3a 2625 4eed 7a9c 37d9 ef97
State Attribute (24), length: 18, Value: ........ ...m.q.
0x0000: c2lb 819c c2la 85b8 20c3 b2b7 6dla 71d6
02:18:48.919099 IP (tos Ox0, ttl 64, id 29732, offset 0, flags [none], proto UDP (17), length 236)
10.1.2.29.1812 > 10.1.2.27.60114: [bad udp cksum 0x1923 -> Oxae5a!] RADIUS, length: 208
Access-Accept (2), id: 0x54, Authenticator: 668c7cbb00d96161c278906918ce2291
Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
Vendor Attribute: 17, Length: 50, Value: .p<.6..A [y)..E)......Y..(..P...Xd@..aB.k.
0x0000: 0000 0137 1134 f270 3cbf 360b 1d41 f5e5
0x0010: c87f e8eb b9e9 955b 7929 0915 4529 fa92
0x0020: 8c02 Ofec 59a0 e528 889e 50b9 f506 5864
0x0030: 4018 ff61 429a 6bb8
Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
Vendor Attribute: 16, Length: 50, Value: ..G......Q...............x.=xA/......i.r..a.%R.^..
0x0000: 0000 0137 1034 ff86 47fc 00f1 99d9 cc51
0x0010: fclf 1ae2 b9e3 00a7 1ec9 baf4 031d fa78
0x0020: 8d3d 7841 2114 0313 a2e8 9e69 dc72 efed
0x0030: 61b2 2552 995e fbf4
EAP-Message Attribute (79), length: 6, Value: ..
0x0000: 0307 0004
Message-Authenticator Attribute (80), length: 18, Value: .8............30
0x0000: 0438 c613 8719 caa2 eaf0 a106 ffb4 3330
User-Name Attribute (1), length: 23, Value: host/leno.fortiad.net
0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961
0x0010: 642e 6e65 74
Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] #13
0x0000: 0000 000d
Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802
0x0000: 0000 0006
Tunnel-Private-Group-ID Attribute (81), length: 13, Value: engineering
0x0000: 656e 6769 6e65 6572 696e 67
02:18:52.384838 IP (tos Ox0, ttl 1, id 32640, offset 0, flags [none], proto UDP (17), length 328)
10.1.2.27.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid Oxf79d54fa, Flags [Broadcast] (0x8000)
Your-IP 10.1.2.224
Client-Ethernet-Address 00:22:68:1a:fl:a0
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 10.1.2.27
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 10.1.2.1
Domain-Name-Server Option 6, length 4: 10.1.2.122
Domain-Name Option 15, length 11: "fortiad.net"
The Debug Log (at https://<fac-ip>/debug/radius
) should also confirm successful authentication.
The Switch CLI shows a successful dot1x session:
root# run show dotlx interface ge-0/0/1.0
802.1X Information:
Interface Role State MAC address User
ge-0/0/1.0 Authenticator Authenticated 00:22:68:1A:F1:A0 host/leno.fortiad.net
The Domain Computer interface is dynamically placed into the correct VLAN:
root# run show vlans
Name Tag Interfaces
default
ge-0/0/0.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0,
engineering 10
ge-0/0/1.0*, ge-0/0/11.0*
Additionally, the domain computer shows as available on the network:
root# run show arp interface vlan.10
MAC Address Address Name Interface Flags
00:0c:29:5b:90:68 10.1.2.29 10.1.2.29 vlan.10 none
98:b8:e3:a0:c6:lb 10.1.2.220 10.1.2.220 vlan.10 none
b8:78:2e:38:3e:28 10.1.2.222 10.1.2.222 vlan.10 none
00:22:68:1a:f1:a0 10.1.2.224 10.1.2.224 vlan.10 none
54:e4:3a:d5:16:a0 10.1.2.226 10.1.2.226 vian.l0 none
Total entries: 5
{master:0}[edit]
root# run ping 10.1.2.224
PING 10.1.2.224 (10.1.2.224): 56 data bytes
54 bytes from 10.1.2.224: icmp_seq=0 tt1=128 time=4.651 ms
54 bytes from 10.1.2.224: icmp_seq-1 ttl-128 time-2.385 ms
--- 10.1.2.224 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.385/3.518/4.651/1.133 ms