Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
Matt_B
Staff & Editor
Staff & Editor

Created on ‎09-04-2025 10:28 PM

Article Id 407804

Troubleshooting Tip: Packet capture and FortiOS diagnostics to observe EAP authentication

Description This article demonstrates example packet captures and FortiOS debugs to observe an wireless client authentication attempt using EAP when an external RADIUS server is in use.
Scope WPA2 Enterprise, WPA3 Enterprise with External RADIUS server.
Solution

Example topology: 

 

EAP authentication_diagram.png

 

Example packet sniffer for EAPOL traffic:

The FortiAP forwards EAPOL packets to the FortiGate using the CAPWAP Data channel (UDP port 5247 by default). EAP traffic can be identified by the EtherType of the encapsulated 802.1X Authentication frame (0x888e).

 

Use the filter 'port 5247 and (udp[0x24:2]==0x888e or udp[0x2c:2]==0x888e)' to capture these EAPOL frames. Check Troubleshooting Tip: Advanced filters for FortiOS packet capture if more detail is needed regarding FortiOS packet capture syntax.

 

diagnose sniffer packet v140.fortiap 'port 5247 and (udp[0x24:2]==0x888e or udp[0x2c:2]==0x888e)' 6 0 l
interfaces=[v140.fortiap]
filters=[port 5247 and (udp[0x24:2]==0x888e or udp[0x2c:2]==0x888e)]
2025-09-04 16:43:20.715497 v140.fortiap -- 10.140.255.1.5247 -> 10.140.255.100.36427: udp 44
CAPWAP DATA Ether type 0x888e printer hasn't been added to sniffer.
0x0000 e023 ffbe 16b8 0009 0f09 8608 0800 45a0 .#............E.
0x0010 0048 8349 0000 4011 e33d 0a8c ff01 0a8c .H.I..@..=......
0x0020 ff64 147f 8e4b 0034 0000 0020 8220 0000 .d...K.4........
0x0030 0000 0400 0200 0000 0000 4c44 5b06 a22a ..........LD[..*
0x0040 e023 ffbe 16c9 888e 0200 000a 0148 000a .#...........H..
0x0050 0168 656c 6c6f .hello

2025-09-04 16:43:20.765021 v140.fortiap -- 10.140.255.100.36427 -> 10.140.255.1.5247: udp 43
CAPWAP DATA Ether type 0x888e printer hasn't been added to sniffer.
0x0000 0009 0f09 8608 e023 ffbe 16b8 0800 4500 .......#......E.
0x0010 0047 8500 0000 ff11 2327 0a8c ff64 0a8c .G......#'...d..
0x0020 ff01 8e4b 147f 0033 0000 0030 8231 0000 ...K...3...0.1..
0x0030 0000 06e0 23ff be16 c900 04d3 3201 f400 ....#.......2...
0x0040 0000 e023 ffbe 16c9 4c44 5b06 a22a 888e ...#....LD[..*..
0x0050 0101 0000 00 .....

 

eap_1.PNG

 

Example packet sniffer for EAP over RADIUS traffic:

The FortiGate passes the EAP messages through to the configured external RADIUS server.

 

diagnose sniffer packet any 'port 1812 or 1813' 6 0 l
interfaces=[any]
filters=[port 1812 or 1813]
2025-09-04 16:43:20.799089 PRIVATE_CLOUD out 10.253.200.1.23116 -> 10.250.0.21.1812: udp 324
0x0000 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.
0x0010 0160 f642 0000 4011 a53d 0afd c801 0afa .`.B..@..=......
0x0020 0015 5a4c 0714 014c 5efb 0100 0144 ddfb ..ZL...L^....D..
0x0030 6b23 be20 3b1c 7222 0994 c9db 7869 010f k#..;.r"....xi..
...

 

eap_3.PNG

 

To convert the CLI packet captures to a Wireshark-readable .pcap file using a Perl script or the fgt2eth executable, check the following KB article Technical Tip: How to import 'diagnose sniffer packet' data to WireShark.

Additional FortiOS Diagnostics:

WPAD diagnostics can be taken simultaneously with packet captures to observe the FortiGate's EAP logic.


diagnose debug application wpad 7

diagnose debug enable

...

30183.137 4c:44:5b:00:aa:bb <eh> IEEE 802.1X (EAPOL 22B) <== 4c:44:5b:00:aa:bb ws (0-10.140.255.100:5246) rId 1 wId 1 e0:23:ff:11:cc:dd
IEEE 802.1X: 22 bytes from 4c:44:5b:00:aa:bb
IEEE 802.1X: version=1 type=0 length=18
30183.138 4c:44:5b:00:aa:bb <eh> recv IEEE 802.1X ver=1 type=0 (EAP_PACKET) data len=18
EAP: code=2 (response) identifier=174 length=18
65401.138 HOSTAPD: <0>10.140.255.100:5246<1-1> STA 4c:44:5b:00:aa:bb IEEE 802.1X: received EAP packet (code=2 id=174 len=18) from STA: EAP Response-Identity (1)
IEEE 802.1X: <0>10.140.255.100:5246<1-1> 4c:44:5b:00:aa:bb BE_AUTH entering state RESPONSE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=174 respMethod=1 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
EAP-Identity: Peer identity - hexdump_ascii(len=13):
0000: 75 73 65 72 2E 62 75 72 67 65 73 73 6D user.burgessm
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: -> PASSTHROUGH
EAP: EAP entering state INITIALIZE_PASSTHROUGH
EAP: EAP entering state AAA_REQUEST
EAP: EAP entering state AAA_IDLE
65401.139 HOSTAPD: <0>10.140.255.100:5246<1-1> STA 4c:44:5b:00:aa:bb IEEE 802.1X: STA identity 'user.burgessm'
Encapsulating EAP message into a RADIUS packet
65401.140 HOSTAPD: <0>10.140.255.100:5246<1-1> Sending RADIUS message
to authentication server 10.250.0.21 by sock 14
RADIUS message: code=1 (Access-Request) identifier=7 length=324
Attribute 1 (User-Name) length=15
Value: 'user.burgessm'
Attribute 4 (NAS-IP-Address) length=6
Value: 0.0.0.0
Attribute 32 (NAS-Identifier) length=34
Value: '10.140.255.100/5246-EAP-TLS_test'

...

 

FortiAuthenticator Diagnostics:If the Remote RADIUS service is hosted on FortiAuthenticator, the RADIUS diagnostics can be found in the FortiAuthenticator GUI at 'https://<fortiauthenticator_domain>:port/debug', Log Categories -> RADIUS -> Authentication.

 

eap_2.PNG


2025-09-04T16:43:20.788177-07:00 FortiAuthenticator radiusd[11912]: (2) Received Access-Request Id 0 from 10.253.200.1:23116 to 10.250.0.21:1812 length 324
2025-09-04T16:43:20.788182-07:00 FortiAuthenticator radiusd[11912]: (2) User-Name = "user.burgessm"
2025-09-04T16:43:20.788186-07:00 FortiAuthenticator radiusd[11912]: (2) NAS-IP-Address = 0.0.0.0
2025-09-04T16:43:20.788188-07:00 FortiAuthenticator radiusd[11912]: (2) NAS-Identifier = "10.140.255.100/5246-EAP-TLS_test"
...

 

After successful RADIUS authentication, FortiGate continues the WPA process with FortiAP.

 

IEEE 802.1X: <0>10.140.255.100:5246<1-1> 4c:44:5b:00:aa:bb BE_AUTH entering state SUCCESS
65401.438 HOSTAPD: <0>10.140.255.100:5246<1-1> STA 4c:44:5b:00:aa:bb IEEE 802.1X: Sending EAP Packet (identifier 180)
...
65401.439 HOSTAPD: <0>10.140.255.100:5246<1-1> sent E2C_8021X (154 bytes) to /tmp/cwCwAcSocket
IEEE 802.1X: <0>10.140.255.100:5246<1-1> 4c:44:5b:00:aa:bb BE_AUTH entering state IDLE
WPA: <0>10.140.255.100:5246<1-1> 4c:44:5b:00:aa:bb WPA_PTK entering state INITPMK
WPA: 4c:44:5b:00:aa:bbPMK from EAPOL state machine (MSK len=64 PMK len=32)
WPA: <0>10.140.255.100:5246<1-1> 4c:44:5b:00:aa:bb WPA_PTK entering state PTKSTART
65401.440 HOSTAPD: <0>10.140.255.100:5246<1-1> STA 4c:44:5b:00:aa:bb WPA: sending 1/4 msg of 4-Way Handshake
30183.440 4c:44:5b:00:aa:bb <eh> send 1/4 msg of 4-Way Handshake

 

IP fragmentation:

EAP methods secured by an X509 certificate may use packets larger than the MTU of one or more devices along the path, which can cause authentication issues.  For options to reduce fragmentation on the CAPWAP side, check FortiWiFi and FortiAP Configuration Guide: IP fragmentation of packets in CAPWAP tunnels

 

If the FortiGate communicates with the external RADIUS server over an IPsec tunnel, ensure the MTU of the IPsec tunnel is set accurately and set to pre-encapsulation fragmentation. See the article Technical Tip: EAP TLS Authentication does not work over IPSec Overlay

 

145
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.