- From the FortiNAC CLI, enable the following debugs:
execute enter-shell <----- For FortiNAC-F versions.
nacdebug -name PolicyHelper true
nacdebug -name RadiusAccess true
nacdebug -name RadiusManager true
nacdebug -name BridgeManager true
Device -ip <Switch-IPaddress> -setAttr -name DEBUG -value "ForwardingInterface TelnetServer"
Note: Replace the <Switch-IPaddress> with the switch IP or FortiGate IP managing the FortiSwitches.
- To check what debug options are enabled:
nacdebug -all | grep -i true Or: CampusMgrDebug -all | grep -i true
- Under Network -> RADIUS -> Local Service, make sure if below options are enabled:
- Debug & Troubleshooting:
- 'Service Log Level' -> High.
- 'FortiNAC Server Log Debug' -> Enable.
- Check 'Include Network Access Policy Debug'.
Or:
- Debug & Troubleshooting:
- 'Service Log Debug' -> Enable.
- 'FortiNAC Server Log Debug' -> Enable.
- Check 'Include Network Access Policy Debug'.
- In another CLI session, run a packet capture before reproducing the issue: Technical Tip: Run tcpdump in FortiNAC-F and save capture as a file. Execute the command below for packet capturing and download the file using WinSCP (valid for the FortiNAC branch only):
execute tcpdump -i any host <switch-ip> and port 3799 or port 1812 or port 1645 -w radius.pcap Note: In the FortiNAC-F version, WinSCP can no longer be used. The file can be easily exported to a TFTP server. execute enter-shell
tftp -pr radius.pcap <tftp server IP> - Once the issue is reproduced, grab the logs from FortiNAC. For further information about grab-log-snapshot, check: Technical Tip: How to get a debug log report from FortiNAC-CA or FortiNAC-Manager.
- After reproducing the issue, collect the logs and PCAP file and attach them to a FortiCare ticket.
- Disable debug on FortiNAC (FortiNAC-F):
execute enter-shell <----- FortiNAC-F version.
nacdebug -name PolicyHelper false
nacdebug -name RadiusAccess false
nacdebug -name RadiusManager false
nacdebug -name BridgeManager false
Device -ip < Switch-IPaddress > -delAttr -name DEBUG -value "ForwardingInterface TelnetServer"
Check what debug options are still enabled:
nacdebug -all | grep -i true Or: CampusMgrDebug -all | grep -i true
Note: During the RADIUS authentication phase, FortiNAC uses the 'Winbind' service to query the LDAP server to validate the user. If that is successful, post-auth runs, and during this phase, FortiNAC looks up the user record, which will be an LDAP, if it does not exist locally. Then, when policy runs, groups can be used as part of the policy lookup.
During RADIUS authentication, it does not matter whether the group is synced with FortiNAC or not. Winbind will query the LDAP server.
Related documents: Troubleshooting Tip: FortiNAC Local Radius Debug and Troubleshooting via GUI
Technical Tip: How to set up EAP-TLS on workstation and FortiNAC
Technical Tip: FortiNAC RADIUS debug errors and solutions Machine Authentication Technical Tip: MSCHAPv2 authentication, join FortiNAC in domain and checks | 
