Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nmichael
Staff
Staff

Created on ‎07-18-2017 07:48 AM

Article Id 191839

Technical Note: EAP type to enable on RADIUS server when tunnel termination is enabled on FortiGate for PEAP-MSCHAPV2 authentication

Description
This article explains which EAP type should be enabled on the RADIUS server when tunnel termination is enabled on the FortiGate for PEAP-MSCHAPV2 authentication.

Solution
The purpose of enabling tunnel termination for wpa2-enterprise profile with RADIUS authentication on the FortiGate is to have a temporary working solution for enterprise users when the RADIUS server certificate is expired or there is no certificate available on the newly installed RADIUS server.

This feature can be enabled on SSID page with wpa2-enterprise option by selecting local and mapping user group that contains RADIUS server as the member.

nmichael_FD40567_tn_FD40567-1.jpg

Since the outer tunnel is terminated at the FortiGate, mschapv2 should be enabled as the EAP type for the policies on the RADIUS server and not PEAP.

Sample NPS configuration for EAP type in Tunnel Termination

nmichael_FD40567_tn_FD40567-2.jpg

5482
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.