Skip to main content
ssanga
Staff & Editor
ssanga
Staff & Editor
May 12, 2025

Technical Tip: WiFi Clients Fail to Connect to WPA2-Enterprise SSID Using RADIUS Authentication

  • May 12, 2025
  • 0 replies
  • 1496 views
Description This article discusses an issue where clients are unable to connect to a WPA2-Enterprise SSID configured with a RADIUS user group, while connections to a WPA2 security with pre-shared key authentication function work without issues.
Scope FortiGate v7.2, v7.4.
Solution

Clients attempting to connect to a WPA2-Enterprise SSID configured with a RADIUS user group are failing authentication, despite the RADIUS server indicating successful connectivity.
No RADIUS packets are observed in packet captures when users attempt to connect to the SSID. The following errors appear in the wpad debug logs:

2024-12-23 13:38:42 82722.746 f0:05:1b:xx:xx:xx <eh> RADIUS message (type=0) ==> RADIUS Server code=1 (Access-Request) id=81 len=277
2024-12-23 13:39:03 25265.815 264 f0:05:1b:xx:xx:xx cwd_sta_disconnect sta f0:05:1b:xx:xx:xx
2024-12-23 13:39:03 25265.815 264 f0:05:1b:xx:xx:xx cwAcKernDelSta,6870 ws (0-10.10.1.1:5246) f0:05:1b:xx:xx:xx ret -1
2024-12-23 13:39:03 25265.815 264 f0:05:1b:xx:xx:xx cwAcProcInputLocalMsg: cwAcKernDataDelSta failed f0:05:1b:xx:xx:xx rId 1 wId 1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2024-12-23 13:39:03 25265.815 264 f0:05:1b:xx:xx:xx <dc> STA del f0:05:1b:xx:xx:xx ws (0-10.10.1.1:5246) vap EnterpriseSSID rId 1 wId 1
2024-12-23 13:39:03 25265.816 264 f0:05:1b:xx:xx:xx cwAcProcInputLocalMsg D2C_STA_DEL wl EnterpriseSSID wId 1 sec 6
2024-12-23 13:39:03 25265.816 264 f0:05:1b:xx:xx:xx <ih> IEEE 802.11 mgmt::disassoc ==> f0:05:1b:xx:xx:xx ws (0-10.10.1.1:5246) vap EnterpriseSSID rId 1 wId 1 70:4c:a5:xx:xx:xx
2024-12-23 13:39:03 82743.816 f0:05:1b:xx:xx:xx <eh> ***WPA_PTK f0:05:1b:xx:xx:xx DISCONNECTED***
2024-12-23 13:39:03 25265.816 264 f0:05:1b:xx:xx:xx <cc> STA_CFG_REQ(14) sta f0:05:1b:xx:xx:xx del ==> ws (0-10.10.1.1:5246) rId 1 wId 1
2024-12-23 13:39:03 25265.816 264 f0:05:1b:xx:xx:xx <cc> STA del f0:05:1b:xx:xx:xx vap EnterpriseSSID ws (0-10.10.1.1:5246) rId 1 wId 1 70:4c:a5:xx:xx:xx sec WPA2 RADIUS action idle_timeout reason 208
2024-12-23 13:39:03 25265.816 264 f0:05:1b:xx:xx:xx cwAcStaRbtDel: D2C/C2C_STA_DEL remove sta f0:05:1b:xx:xx:xx 10.10.1.1/1/1/1 from staRbt
2024-12-23 13:39:03 25265.816 264 f0:05:1b:xx:xx:xx <dc> STA chg f0:05:1b:xx:xx:xx vap EnterpriseSSID ws (0-10.10.1.1:5246) rId 1 wId 1 bssid 70:4c:a5:xx:xx:xx NON-AUTH
2024-12-23 13:39:03 25265.817 264 f0:05:1b:xx:xx:xx <cc> STA chg no key f0:05:1b:xx:xx:xx vap EnterpriseSSID ws (0-10.10.1.1:5246) rId 1 wId 1 70:4c:a5:xx:xx:xx sec WPA2 RADIUS user test group NULL
2024-12-23 13:39:03 25265.817 264 f0:05:1b:xx:xx:xx <dc> STA chg f0:05:1b:xx:xx:xx vap EnterpriseSSID ws (0-10.10.1.1:5246) rId 1 wId 1 bssid 70:4c:a5:xx:xx:xx NON-AUTH
2024-12-23 13:39:03 25265.817 264 f0:05:1b:xx:xx:xx <cc> STA chg no key f0:05:1b:xx:xx:xx vap EnterpriseSSID ws (0-10.10.1.1:5246) rId 1 wId 1 70:4c:a5:xx:xx:xx sec WPA2 RADIUS user test group NULL

In the wpad debugs, it is observed that the radius server hostname is resolving to IPv6 as shown below:

2025-01-06 11:44:55 26737.007 2025-01-06 11:44:55 DNS req ipv6 0x201a 'fortinet.radius.local'2025-01-06 11:44:55 26737.007 2025-01-06 11:44:55 DNS maintainer started.2025-01-06 11:44:55 26737.007 2025-01-06 11:44:55 RADIUS: Opened radius socket 13, sa_family 10
2025-01-06 11:44:55 26737.007 2025-01-06 11:44:55 HOSTAPD: <0>10.10.1.1:5246<1-0> STA 7c:76:35:xx:xx:xx RADIUS: Resending RADIUS message (id=5) to [::]:1812
2025-01-06 11:44:55 26737.007 2025-01-06 11:44:55 HOSTAPD: <0>10.10.1.1:5246<1-0> STA 7c:76:35:xx:xx:xx RADIUS: Resending RADIUS message (id=4) to [::]:1812
2025-01-06 11:44:55 26737.007 2025-01-06 11:44:55 Next RADIUS client retransmit in 3 seconds
2025-01-06 11:44:55 26737.007 2025-01-06 11:44:55 got IPv6 DNS reply, req-id=0x201a2025-01-06 11:44:55 26737.007 2025-01-06 11:44:55 DNS req 0x1a is removed. Current total: 22025-01-06 11:44:55 26737.007 2025-01-06 11:44:55 DNS maintainer stopped.2025-01-06 11:44:55 26737.007 2025-01-06 11:44:55 req 0x0: 2620:5f:c000:cd:5846:6ff:xx:xxxx2025-01-06 11:44:55 Resolved fortinet.radius.local to 2620:5f:c000:cd:5846:6ff:xx:xxxx [i=0]

If the RADIUS server hostname resolves to both IPv4 and IPv6 addresses, note that WiFi RADIUS authentication over IPv6 is not supported in the current FortiGate builds. This feature is officially supported starting from the firmware v7.4.8 and v7.6.3.

 

Workaround:
Configure the RADIUS server using its IPv4 address instead of a hostname. General debug information required by FortiGate TAC for investigation:

 

  1. Debugs:


diagnose debug application wpad 7
diagnose debug console timestamp enable
diagnose debug enable


Remove the Enterprise SSID from the FortiAP Profile, select 'OK', wait for a few seconds, and then re-add it to the FortiAP Profile. After completing the steps, disable debugging using the command below:


diagnose debug disable

  1. TAC Report:


execute tac report

  1. Configuration file of the FortiGate.
    Terms & ConditionsAccessibility statement