Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kumarh
Staff
Staff

Created on ‎04-01-2024 04:44 AM Edited on ‎04-01-2024 04:45 AM By Community Manager

Article Id 307600

Technical Tip: Wireless devices are unable to connect with SSID

Description

This article describes that Wireless devices are unable to connect with SSID in FortiGate.
Scope All Fortigate Firmware
Solution

Topology:

Device (20:16:b9:0f:9f:e2)-------FortiAP------ Fortiswitch--------(Fortigate1)<-------s2s tunnel---------->(Fortigate2)

Collect packet capture on FortiGate incoming interface and could see that EAPOL exchange didn't complete. FortiGate is not sending EAP-Request/Identify to the device:


Picture1.png

 

Run the following wireless debugs on FortiGate:

 

diagnose debug application fnbamd -1
diagnose debug application wpad 0x7fff
diagnose debug console timestamp enable
diagnose debug enable

 

After running the above debugs,  the EAPOL frame was sent after this event, shortly after, and this is what it shows:

 

382: 2024-03-11 13:43:46 98145.736 2024-03-11 13:43:46 HOSTAPD: <0>10.10.9.50:5246<1-0> STA 20:16:b9:0f:9f:e2 CAPWAP: associated2024-03-11 13:43:46 RSN: Trying to use non-FT AKM suite, but MDIE included
384: 2024-03-11 13:43:46 98145.737 2024-03-11 13:43:46 HOSTAPD: <0>10.10.9.50:5246<1-0> STA 20:16:b9:0f:9f:e2 CAPWAP: WPA/RSN information element rejected? (res 4)
Line 407: 2024-03-11 13:43:46 98145.740 2024-03-11 13:43:46 hostapd_capwap_config_result: del ptk replied for addr 20:16:b9:0f:9f:e22024-03-11 13:43:46 79026.869 20:16:b9:0f:9f:e2 <eh> IEEE 802.1X (EAPOL 5B) <== 20:16:b9:0f:9f:e2 ws (0-10.10.9.50:5246) rId 1 wId 0 94:f3:92:e9:d4:f0
2024-03-11 13:43:46 IEEE 802.1X: 5 bytes from 20:16:b9:0f:9f:e2
2024-03-11 13:43:46 IEEE 802.1X data frame from not associated/Pre-authenticating STA2024-03-11 13:43:46 RSN: Trying to use non-FT AKM suite, but MDIE included

 

In the packet capture,  FT means 'Fast Transfer' and the packet includes something called 'Mobility Domain' which is what the MDIE stands for, which we suspect is information in the packet that ties in with Fast Transfer.The  WIFI client is trying to do something that is illegal:

Here is a patch in the open-source community that contains the exact string in our debugs:
https://lists.infradead.org/pipermail/hostap/2016-November/036706.html

IEEE 802.11-2012 section 12.4.2 states that if an MDE is present in an association request but the RSNE uses a non-FT AKM suite, the access point must reject the association using code 43 ('Invalid AKMP').

 

Picture2.png

 

Update the wifi driver in the end machine and FortiGate.In wireless-controller vap configuration, make sure that pmf is set to optional:

 

Picture3.png

 

164
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.