Skip to main content
Thonno
Thonno
Explorer II
December 2, 2024
Solved

Issue with dot1x Configuration on FortiNAC

  • December 2, 2024
  • 2 replies
  • 11386 views

Hello,

I am experiencing an issue with the dot1x configuration on FortiNAC.
I am using FortiNAC 700F, version 7.2.8.0149.

 

I have followed all the steps shown in this video:
https://www.youtube.com/watch?v=7pRg2-SVipo

The problem is that I don’t have the "EAP-Type-Name" option.

I still followed the entire video and applied the instructions, but when I connect a PC to the switch port where dot1x auto-registration is enabled, the PC shows "authentication failed."

 

On the FortiNAC side, I don’t see any activity logs.

 

Here is the switch configuration:

 

interface GigabitEthernet0/17
switchport access vlan 2
switchport mode access
switchport voice vlan 150
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication host-mode multi-host
authentication port-control auto
authentication periodic
authentication timer reauthenticate 180
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout server-timeout 10
dot1x timeout tx-period 10
dot1x timeout supp-timeout 6
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end

aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
!
aaa nas port extended
!
radius-server host 172.16.180.104 auth-port 1645 acct-port 1646 key 7 encryptedpassword
radius-server vsa send authentication


I also tried configuring:
radius-server host 172.16.180.104 auth-port 1812 acct-port 1813 key
But it didn’t make any difference.

 

Thank you in advance for your help!

Best regards,





 
Best answer by Hatibi

The request is being sourced from 172.27.1.98. Is the switch added with this IP in FortiNAC? FortiNAC will ignore RADIUS requests when these are not coming from a Source IP it has in the inventory view.

 

Enable following debugs in FortiNAC:

 

diagnose debug plugin enable RadiusAccess

diagnose debug plugin enable RadiusManager

diagnose debug plugin enable BridgeManager

diagnose tail -F output.master

 

Then recreate again the issue. Ouptut.master logs should show how the request is being processed.

 

Additionally double check that "radius" and "radius-local" services are allowed on port1.

 

show system interface
config system interface
edit port1
set ip 10.10.10.6/24
set allowaccess http https-adminui nac-agent nac-ipc netflow ping radius radius-acct radius-local radius-local-radsec snmp ssh

end

 

2 replies

sjoshi
Staff
sjoshi
Staff
December 2, 2024

To troubleshoot the issue with dot1x configuration on FortiNAC, where the "eap-type-name" option is missing and PCs show "authentication failed" when connected to the switch port, follow these steps:

 

1. Verify the FortiNAC configuration for any missing settings related to EAP types.

2. Check the switch configuration to ensure all dot1x settings are correctly applied, including the authentication method and RADIUS server details.

3. Confirm that the RADIUS server is properly configured with the correct ports and shared key.

4. Review the logs on both the switch and FortiNAC for any error messages or authentication failures.

Thanks, Salon
    Hatibi
    Staff & Editor
    Hatibi
    Staff & Editor
    December 2, 2024

    In this case, the "EAP-Type-Name" option is just a filter you apply in the User&Host profile in order to match the host and apply the Network access configuration. It is not mandatory and you can remove that filter and use something else.

    However this part is relevant after the host is registered. In your case this has not happened yet due to authentication failing. After the host successfuly registers through 802.1x successful auth, then the NAC policy is applied.

    This is explained here: https://community.fortinet.com/t5/FortiNAC-F/Technical-Tip-State-based-Control-concept-and-VLAN-changes/ta-p/339579

     

     

    First check why auth is failing by going to Network->Radius and enable debugging to High.

    Check the Service Logs and track the Username/MAC attempting the authentication. You will be provided with a possible reason of why this is failing.

      ebilcari
      Staff
      ebilcari
      Staff
      December 2, 2024

      In addition, the Authentication policy configuration (method RADIUS) shown in the video is misleading. Firstly is not needed, in this case there is already a RADIUS authentication in place. This authentication policy will trigger a 2nd authentication request to the end user via the Portal or Persistent agent which doesn't make sense if the user has to provide the same credentials that are already configured in the Supplicant. Also the 'Forced Authentication' doesn't appear enforced at the port level which means that the host will not match it.


      The User/Host profile potential is better used when there are conditions based on Host and User attributes like groups or roles. Having a general RADIUS attribute check is not that granular.
      As mentioned enabling RADIUS logs or a simple packet capture for the RADIUS traffic will give more insights about the authentication failure:

      # execute tcpdump port 1812 and host x.x.x.x -vX
      *(replace x.x.x.x with the IP of the switch)

      Emirjon
        Terms & ConditionsAccessibility statement