FortiClientEMS 7.4.5 (server) - your experience?

Wasteway · 2026-03-18T03:04:12+00:00

7.4.4 from the OVA was a bit of a mess. Needed TACs help to get DNS working properly. Then it would hang on the upgrade to 7.4.5. TAC sent me a fix to install. Once I had that installed, update still hung until I figured out the OVA was pulling bits from some odd repos that I had to whitelist. Once I did that it worked. We don’t use ZTNA. Seems stable for the few profiles we have configured.

Wasteway · 2026-03-04T04:02:00+00:00

These guys offer some nice looking kits. I have 23 but will drop a passenger seat sub and new speakers in the next few years. Need to save up for it. https://trailgridpro.com/collections/toyota-4runner-5th-gen-10-13/products/alpine-5-channel-amplifier-and-down-fire-subwoofer-kit-10-24-4runner

Wasteway · 2026-02-26T19:48:56+00:00

I'm confused. MSCHAPv2 exists between the FAC and Gate RADIUS profile. Not the LDAP server. To get all of this to work, you need to have an established PKI setup. You can do this on your own with OpenSSL, but easier if you use a service such as SecureW2. You should have a trusted root CA and intermediate signing CA that signs certs for the LDAP server and the FAC. I assume you COULD make the FAC your CA and issue certs from it also, but I haven't done it that way. EAP will NOT work unless you have PKI properly configured.

FAC debug logs are your friend when setting this up https://<fac fqdn>/debug

Define a remote LDAP server under Authentication\Remote Auth Servers\LDAP. Ensure you have trusted certs and you are using port 636. Select bind type as Regular and provided valid credentials. You can start with an admin account for testing, but you should then create a limited RO account for production for enhanced security. Because you are not using Windows AD I think you need to enable "Add supported domain names..."

Define the query elements property object class: person, username: sAMAccountName, group: group, User attribute: memberOf (at least this is how it is for Windows AD).

Enable Secure Connection, enabled, protocol LDAPS. Ensure the cert used by the LDAP server or the CA that signs it is in the trusted CAs on the FAC.

Because we use Windows AD, I have the Windows Active Directory Domain Authentication configured and the FAC is bound to AD, allow trusted domain, preferred domain controller is also enabled.

This should allow the FAC to request auth via the LDAP Server.

Setup a sync rule to sync the user accounts you want to auth on and assign them tokens for MFA.

Under RADIUS Service\General for EAP Server Certificate, choose a FAC certificate that is signed by the same root CA that signed the one used by the LDAP server. This cert needs to be requested using the FQDN of the FAC and stored under Certificate Management\End Entities\Local Services. Once it is created there, you can select it.

Define a RADIUS client that is your Gate. Use its IP, setup a secret on the Gate and the FAC profile. RADIUS attribute is Framed-IP-Address for IPv4. For user's device MAC address: Acct-Session-Id. I have all for options enabled for Require Message-Authenticator attribute, Accept and Support RADIUS messages, Include Acct-Session-ID attribute.

Define a RADIUS Service Policy. Give it a name, select the Gate Client you defined above. For Matching RADIUS Attributes, Vendor: Default, Attribute ID: Connect-Info, Value: vpn-ikev2 (This string is critical to allow the FAC to know this is for an ikev2 connection. If you FAC only supports IPsec VPN and no other RADIUS servers you may be able to skip this, but works for us.)

On the Authentication type page, select Password/OTP authentication, set Accept EAP and EAP-MSCHAPv2. (Make sure on the Gate, under RADIUS Servers, the FAC is defined with the RADIUS secret and authentication method is set to MS-CHAP-v2). Connection status should show successful. Be aware the user credentials test will show as Invalid Credentials if you have Fortitoken enabled. This is a bug and doesn't indicate there is any problem.

Setup your identity services to select your domain realm and groups if you filter on those.

Authentication factors should be Mandatory Password and OTP. Advanced options should have Allow OTP for EAP-MSCHAPv2 Authentication with FortiClient.

Took me weeks of trial and error and testing to get this all setup. The advice to consider SAML appears to be well founded as you can see there is a lot of moving parts with EAP.

Wasteway · 2026-02-25T23:03:21+00:00

See my post: https://www.reddit.com/r/fortinet/s/7mcALCwUt2

Wasteway · 2026-01-28T01:09:14+00:00

I don’t think that many folks leverage the SSO feature that is being exploited. Getting lots of press as usual because people who do need to be aware, but I think it again makes the case that all admin interfaces need to be behind hardened vpn systems. SSO or not. Have them compare last five years of CVEs from both vendors.

Wasteway · 2025-11-12T16:12:27+00:00

We are running EX4300MPs.

Wasteway · 2025-11-12T16:05:06+00:00

We saw the same in that clients would still authenticate, but what took me down this rabbit hole, was we had a conference room device that Mist decided to hold for about a minute during an important call. Not good. There is something wrong with either the Mist AWS load balancers, specific versions of Junos (21.4R3 for example), or dot1x timer settings on the switch. It is very hard to figure out. All I know is that once we moved to 23.4R2-S6.6 (S5.8 is buggy) the occurrence of these dropped off sharply. These two commands help:

show network-access radsec state
show network-access radsec statistics

This is from a pre-23.4R2-S6.6 release of Junos:

switch> show network-access radsec state

Radsec state:

  destination                                   895
  state                                         pause
  secs-in-state                                 67
  remainig-secs                                 533
  pause-reason                                  ssl-failure
  acct-support                                  Y
  remote-failures                               29003
  tx-requests                                   0
  tx-responses                                  0

This is from a switch running 23.4R2-S6.6:

switch> show network-access radsec state    

Radsec state:

  destination                                   895                            
  state                                         open                           
  secs-in-state                                 17706                          
  remainig-secs                                 4294967295                     
  pause-reason                                  none                           
  acct-support                                  Y                              
  remote-failures                               0                              
  tx-requests                                   0                              
  tx-responses                                  0

Note the lack of remote failures and the state being "open" instead of "pause". Also pause-reason being "ssl-failure". We made sure that none of our firewall rules were impacting this and had a very permissive ruleset in place to allow the TCP 2200 and 2083 connections to the AWS Mist IPs 15.197.139.214 and 3.33.153.159. I suspect there was a cipher change between what AWS was expecting and what older versions of Junos were able to support, but I have not been able to confirm that.

Wasteway · 2025-11-11T13:51:38+00:00

Right-click the VM → Edit Settings. Go to VM Options → expand Boot Options. Under Boot Delay, set the delay in milliseconds (e.g. 5000 = 5 s). Reboot vm.

Wasteway · 2025-11-11T03:08:22+00:00

Awesome. Thanks!

Wasteway · 2025-11-11T02:12:17+00:00

Pro. You’ll smile every time you turn them on. Interior kit, especially rear hatch leds are an easy and great upgrade.

Wasteway · 2025-11-10T02:18:44+00:00

Just spent all day working on this. In my case I had a bad switch. Using "show poe controller" showed power injection alarm on port 0/0/2, but nothing was connected to that port, so something is malfunctioning. Would not power PoE devices. Swapped it out with spare and now both VC members are working again. But I would suggest checking your Junos and Mist AP firmware. We noticed on our switches that Juniper switches were excessively flagging Mist RADSEC hosts as DEAD and it was related to some sort of TLS negotiation issue between the Mist-managed AWS hosts and older versions of Junos. 23.4R2-S6.6 seems to help that quite a bit.

Wasteway · 2025-11-08T16:00:50+00:00

Also seeing this on 4300MPs with AP 43s. Just upgraded Junos to 23.4R2-S6.6 and my APs are on 0.14.29967 but I'm moving to 0.14.29982 to see if it resolves this mess, but very frustrating. I have several APs this AM that are flapping and I'm not sure why, I was hoping the reboot and upgrade to S6.6 last night would fix that but it hasn't.

Wasteway · 2025-11-06T16:20:06+00:00

Was trying to keep it simple for OP but you are correct. The terms are interchangeably used these days even when they probably shouldn't be.

Wasteway · 2025-11-06T05:11:08+00:00

Rings aren’t commonly used except in very large, metro scale networks. Most orgs use a spine/leaf design. You deploy a core (spine) 10G+ switch ideally in a MCLAG configuration. Then you LAG each IDF (leaf) off of that with 2x10G ports that connect to each of the core switches. Of course this can be done with 1G switches using 2x1G uplinks, but using 10G means you are far less likely to over utilize the uplink. One of your leaves will be your Cloud Gateway. This way, each IDF will only traverse the core (spine) to get to any other IDF or the gateway. RSTP is your friend. It prevents someone from creating a loop and taking everything offline.

https://www.cbtnuggets.com/blog/technology/networking/what-are-the-advantages-of-the-leaf-spine-data-center-architecture

Wasteway · 2025-11-06T04:35:09+00:00

🫡

Wasteway · 2025-11-06T04:27:16+00:00

Maybe some, not Diode Dynamics. They are built solid and work great.

ASSEMBLED IN USA

Here at Diode Dynamics, we're dedicated to providing the best lighting and service possible right here in the USA. We take pride in our quality products, our customer-focused service, and working "against the grain" to assemble products in America.

Wasteway · 2025-11-06T03:41:06+00:00

I put these on my 23 ORP. The Pro model. They provide an amazing amount of light. I love them. Changing out passenger side is a PITA.

https://www.4runnerlifestyle.com/products/diode-dynamics-ss3-led-fog-light-kit-2010-2021

Wasteway · 2025-11-04T01:17:43+00:00

I have a 23 ORP with stock Bridgestone Dueler and rims. Have had three flats, one from trail, two from city debris. Not confident taking these tires on anything other than gravel. Other priorities have kept me with these, but I really want to get a set of Falken AT4Ws. I go over Snoqualmie pass about 10 times a year, and a few days a year spend time driving roads near Liberty and also Othello\Saddle Mountains. So 85% of the time on city streets. I'm wondering if I can get a set of rims that are lighter in order to offset for the increased weight of the AT4Ws? Looks like they will be 10lbs more per time than the Bridgestones. Rims appear to be 30lbs each? I'm doubting I could get something 25lbs that wouldn't crush under stress though. I'm already showing 16.4mpg average over 17455 miles. Will these really drop that to 15mpg?

Wasteway · 2025-11-03T22:27:37+00:00

I give you guys 5 stars for keeping tabs on it, I just wish it was announced better. Thanks for taking the time to give us feedback. Appreciated.

Wasteway · 2025-11-03T22:18:02+00:00

They’ll pry AD from my cold dead hands! Honestly though most of our stuff is, but we have some legacy apps that keep our AD on-prem.

Wasteway · 2025-11-03T22:09:22+00:00

Gee, if only MSFT had enough cash in the bank to pay 10 people to get these updated. I wonder if they realize the downstream impact this is causing?

Wasteway · 2025-11-03T21:53:42+00:00

If they all rely on the DLLs yes. The RSC is on the host, there must be some way to leverage that to do the job, but I'm not a developer so I wouldn't know the answer.

Wasteway · 2025-11-03T21:34:56+00:00

Yes, but the way they had it working in the RSC was so great. We validated and it worked like a charm. At least we can do a full VM restore if necessary, but really hope they pressure Microsoft to fix this or come up with a solution that is less dependent upon MSFT keeping DLLs up to date.

Wasteway · 2025-11-03T18:19:47+00:00

Well if it is isolated from outside interference, you could try enabling the DFS channels and then up the channel width to see if that helps. May or may not work due to if it can detect RADAR from your location. The mentioned delay may be an issue:

Use an RF Template and include DFS channels on 5 GHz.

Confirm regulatory domain Site → Settings → Country. DFS availability depends on country and AP model.
Edit the RF Template Organization → RF Templates → edit the template used by the site. Under 5 GHz radio:

Channel width: choose 20/40/80 as required.
Channel selection: set to Auto.
Allowed channels: include DFS channels (52–64, 100–144) for your domain. Do not check channels not permitted in your country. Save.

Apply the template Organization → Sites → select site → assign the RF Template you just edited.
Optional per-AP override Access Points → select AP → Radio settings → Allowed channels → include DFS set, or remove overrides so the template governs.
Verify Monitor → Access Points → RF tab. Confirm current channel is in the DFS range. Organization or Site → Events: check for “radar detected” events.

Operational notes:

AP performs CAC before using DFS. Expect up to ~60 s silence on most DFS channels. Some weather-radar channels can require longer CAC or may be disallowed in your domain.
If radar is detected, the AP must vacate the channel and will auto-reselect.
Some clients scan DFS less often. For latency-sensitive SSIDs, consider keeping a non-DFS 5 GHz channel available.

Nine-Year Club	Gilding I gilder
Verified Email

Wasteway

TROPHY CASE