Description
This article describes that in authentications that include MSCHAPv2, the Winbind tool needs to be configured and FortiNAC must be joined to the domain for the authentications to succeed.
Scope
FortiNAC, Windows Server AD.
Solution
In later versions of FortiNAC, a new feature has been added that allows it to join the domain using a Kerberos Keytab file for authentication, instead of requiring the admin account password during the Winbind configuration.
The Keytab can be generated from the admin itself in a PowerShell console in Windows AD using the following commands:
> ktpass -out <file name> -princ <account> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -mapuser <account> -pass <password>
For example:
PS C:\Users\Administrator> ktpass -out gimiw.keytab -princ gimi@EB.EU -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -mapuser gimi@EB.EU -pass gimispass
Targeting domain controller: DC01.eb.eu
Failed to set property 'servicePrincipalName' to 'gimi' on Dn 'CN=gimi,OU=Usr,DC=eb,DC=eu': 0x13.
WARNING: Unable to set SPN mapping data.
If gimi already has an SPN mapping installed for gimi, this is no cause for concern.
Password successfully set!
Key created.
Output keytab to gimiw.keytab:
Keytab version: 0x502
keysize 60 gimi@EB.EU ptype 1 (KRB5_NT_PRINCIPAL) vno 7 etype 0x12 (AES256-SHA1) keylength 32 (0x9c68116c0df52b5a8a8dde0dd0f6366a39fbc9f0c7f092af5c198a756f951d32)
Note:
The realm/domain in the principal parameter of the command (ex. @EB.EU) need to be in capital letters. More information is available in the Microsoft page: ktpass.
A small file is generated in the directory where this command is executed. This file will be used later on in FortiNAC GUI in the Winbind Configurations.
In the FortiNAC RADIUS configuration page, create a new Winbind instance:
Insert configuration details and import the Keytab file:
Enable Service and check the status:
This Keytab is part of the Samba configuration in the system:
fnacf:~$ ll /etc/samba/
total 9
1 -rw-r--r-- 1 root root 20 Mar 9 2018 lmhosts
4 -rw-rw-r-- 1 root nac 128 Feb 18 12:25 smb.conf
4 -rw-rw-r-- 1 root nac 66 Feb 18 12:25 krb5.keytab
Some details of this file can be shown using the following command:
fnacf:~$ klist -kte /etc/samba/krb5.keytab
Keytab name: FILE:/etc/samba/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
7 01/01/70 01:00:00 gimi@EB.EU (aes256-cts-hmac-sha1-96)
RADIUS logs from an MSCHAPv2 authentication (show in Service Log after setting the Service Log level to Low):
(1) Received Access-Request Id 3 from 10.1.2.1:21528 to 10.1.2.50:1812 length 174
(1) NAS-Identifier = "FW"
(1) User-Name = "beni@eb.eu"
(1) MS-CHAP2-Response = 0xb8003797cd4108f8ce086b2aca2af3b600770000000000000000543684008df7d29d2c84d873a4d230581a74614383c98c00
(1) MS-CHAP-Challenge = 0xd507d0b4676b3139b33ed93eb6d4637b
(1) Framed-IP-Address = 0.0.0.0
(1) NAS-IP-Address = 10.1.2.1
(1) NAS-Port-Type = Virtual
(1) Called-Station-Id = "10.1.2.1"
(1) Acct-Session-Id = "58ee4b8c"
(1) Connect-Info = "test"
(1) Fortinet-Vdom-Name = "root"
(1) # Executing section authorize from file /etc/raddb/radiusd.conf
(1) # Executing group from file /etc/raddb/radiusd.conf
(1) ERROR: No NT-Domain was found in the User-Name
(1) # Executing section post-auth from file /etc/raddb/radiusd.conf
(1) &REST-HTTP-Header += X-NAS-IPv4: 10.1.2.1
(1) &REST-HTTP-Header += X-NAS-IPv6:
...
(1) Login OK: [beni@eb.eu] (from client 10.1.2.1 port 0)
(1) Sent Access-Accept Id 3 from 10.1.2.50:1812 to 10.1.2.1:21528 length 0
(1) MS-CHAP2-Success = 0xb8533d36324339424545334533334443324136323639354533443536423231443641444430363835414632
(1) MS-MPPE-Recv-Key = 0x3c4b4937c3abac70f77f611c2c8a2ab9
(1) MS-MPPE-Send-Key = 0x424995958846a5d951ba9803b45f3cdb
(1) MS-MPPE-Encryption-Policy = Encryption-Allowed
(1) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
Related document:
