Skip to main content
TimeStamp
TimeStamp
New Member
December 16, 2024
Question

FortiAuthenticator issue with 802.1x after upgrade to 6.5.6

  • December 16, 2024
  • 2 replies
  • 2171 views

some clients cant get auth. 

 

 

2024-12-16T09:18:21.114057+01:00 FortiAuthenticator radiusd[12310]: Waking up in 28.7 seconds.
2024-12-16T09:18:23.758246+01:00 FortiAuthenticator radiusd[12310]: Waking up in 0.3 seconds.
2024-12-16T09:18:23.758261+01:00 FortiAuthenticator radiusd[12310]: (6) Received Access-Request Id 89 from 172.16.1.249:38059 to 172.16.1.250:1812 length 120
2024-12-16T09:18:23.758268+01:00 FortiAuthenticator radiusd[12310]: (6) User-Name = "host/war-l-glub"
2024-12-16T09:18:23.758272+01:00 FortiAuthenticator radiusd[12310]: (6) EAP-Message = 0x020700060d00
2024-12-16T09:18:23.758275+01:00 FortiAuthenticator radiusd[12310]: (6) NAS-IP-Address = 172.16.1.249
2024-12-16T09:18:23.758280+01:00 FortiAuthenticator radiusd[12310]: (6) NAS-Port = 5
2024-12-16T09:18:23.758284+01:00 FortiAuthenticator radiusd[12310]: (6) NAS-Identifier = "3460F9DAC3EE"
2024-12-16T09:18:23.758288+01:00 FortiAuthenticator radiusd[12310]: (6) Service-Type = Framed-User
2024-12-16T09:18:23.758291+01:00 FortiAuthenticator radiusd[12310]: (6) Calling-Station-Id = "50-EB-F6-8E-80-C5"
2024-12-16T09:18:23.758295+01:00 FortiAuthenticator radiusd[12310]: (6) NAS-Port-Type = Ethernet
2024-12-16T09:18:23.758299+01:00 FortiAuthenticator radiusd[12310]: (6) Message-Authenticator = 0x814953e97fa2361572c6ce73757538ef
2024-12-16T09:18:23.758304+01:00 FortiAuthenticator radiusd[12310]: (6) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2024-12-16T09:18:23.758335+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: ===>NAS IP:172.16.1.249
2024-12-16T09:18:23.758344+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: ===>Username:host/war-l-glub
2024-12-16T09:18:23.758354+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: ===>Timestamp:1734337103.758192, age:0ms
2024-12-16T09:18:23.758371+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Found authclient from preloaded authclients list for 172.16.1.249: 172.16.1.249 (172.16.1.249)
2024-12-16T09:18:23.758919+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Found authpolicy 'switche-certyfikaty' for client '172.16.1.249'
2024-12-16T09:18:23.758932+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Client type: external (subtype: radius)
2024-12-16T09:18:23.758937+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Input raw_username: host/war-l-glub Realm: (null) username: host/war-l-glub
2024-12-16T09:18:23.758940+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Searching default realm as well
2024-12-16T09:18:23.758945+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Realm not specified, default goes to FAC local user
2024-12-16T09:18:23.759457+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Local user found: host/war-l-glub
2024-12-16T09:18:23.759463+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2024-12-16T09:18:23.759468+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject]
2024-12-16T09:18:23.759472+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: none]
2024-12-16T09:18:23.759490+01:00 FortiAuthenticator radiusd[12310]: (6) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-12-16T09:18:23.759498+01:00 FortiAuthenticator radiusd[12310]: (6) eap: ERROR: EAP requires the State attribute to work, but no State exists in the Access-Request packet.
2024-12-16T09:18:23.759504+01:00 FortiAuthenticator radiusd[12310]: (6) eap: ERROR: The RADIUS client is broken. No amount of changing FreeRADIUS will fix the RADIUS client.
2024-12-16T09:18:23.759508+01:00 FortiAuthenticator radiusd[12310]: (6) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
2024-12-16T09:18:23.759517+01:00 FortiAuthenticator radiusd[12310]: (6) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-12-16T09:18:23.759546+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Updated auth log 'host/war-l-glub' for attempt from 172.16.1.249: 802.1x authentication failed
2024-12-16T09:18:24.094033+01:00 FortiAuthenticator radiusd[12310]: Waking up in 0.6 seconds.
2024-12-16T09:18:24.762025+01:00 FortiAuthenticator radiusd[12310]: (6) Sent Access-Reject Id 89 from 172.16.1.250:1812 to 172.16.1.249:38059 length 20
2024-12-16T09:18:24.762064+01:00 FortiAuthenticator radiusd[12310]: Waking up in 25.0 seconds

 

OR:

 

 

ap: ERROR: EAP requires the State attribute to work, but no State exists in the Access-Request packet.
2024-12-16T09:42:02.095167+01:00 FortiAuthenticator radiusd[15329]: (0) eap: ERROR: The RADIUS client is broken. No amount of changing FreeRADIUS will fix the RADIUS client.
2024-12-16T09:42:02.095175+01:00 FortiAuthenticator radiusd[15329]: (0) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request

 

Did some packet capture but cant find an issue here ;/

https://drive.google.com/file/d/1ov9ZymTzyuRHTobLdA9EAzEXqiK5-6Dv/view?usp=share_link

2 replies

AEK
SuperUser
AEK
SuperUser
December 17, 2024

Probably it is due the RADIUS vulnerability that was fixed in FAC 6.5.6.

https://docs.fortinet.com/document/fortigate/7.2.10/fortios-release-notes/5880/radius-vulnerability

Hope it helps.

AEK
    TimeStamp
    TimeStampAuthor
    New Member
    December 18, 2024

    Thx for reply, but in this case FAC is being used only with endpoints. FGT doesnt have configured any Radius - there is no RADIUS in policies(yet). So i dont think that it might be an issue. in Fact we already upgrade to 6.5.6 from 6.4.5

    I wonder about packet fragmentation in FAC. packet capture shows that fragmentation is occur. FAC and Switch is on the same subnet.

    Wireshark: [BoundError Unreassembled Packet: RADIUS]"

     

    001. .... = Flags: 0x1, More fragments
    0... .... = Reserved bit: Not set
    .0.. .... = Don't fragment: Not set

    @AEK wrote:

    Probably it is due the RADIUS vulnerability that was fixed in FAC 6.5.6.

    https://docs.fortinet.com/document/fortigate/7.2.10/fortios-release-notes/5880/radius-vulnerability

    Hope it helps.



    AEK
    SuperUser
    AEK
    SuperUser
    December 20, 2024

    Probably the error message is related to the issue.

    All I can suggest is to check MTU is the same along the path (switch, AP if used, clients, FAC, VMware, ...).

    Hope some more experienced community members can help further, like @Toshi_Esumi & @ebilcari 

    AEK
      GeorgeZhong
      Staff & Editor
      GeorgeZhong
      Staff & Editor
      February 19, 2025

      Hi,

      It looks the Radius process was hanging in the FortiAuthenticator and seems related to a bug in this version. We can try to reboot the FortiAuthenticator and see if issue is resolved or upgrade to 6.6.2.

       

      Regards,

      George

        somethingodd
        somethingodd
        New Member
        September 5, 2025

        Where you have this information that 6.5.6 has somekind of bug?

        Terms & ConditionsAccessibility statement