Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
btey
Staff & Editor
Staff & Editor

Created on ‎08-11-2024 10:35 PM

Article Id 332198

Troubleshooting Tip: Radius Authentication Failed Due To Radius Client Configuration

Description This article describes the scenario where Radius authentication failed when Radius client IP coexists on both individual host objects and range/subnet.
Scope FortiAuthenticator.
Solution

From Authentication -> RADIUS Service -> Clients.

There are 2 user objects created, a subnet 10.x.3.0/24 and a host IP 10.x.3.23. 

 

radius_client.png

From Radius policy, only subnet-based Radius users selected:

Authentication -> RADIUS Service -> Policies.

 

radius_policy.png

 

From packet capture, FortiAuthenticator will return Access-Reject even if the Radius client 10.x.3.23 falls within the subnet of 10.x.3.0/24:

 

radius_pcap.png

For FortiAuthenticator, first, check the configured Radius user with the longest prefix match before finding the Radius policy.


Then, ensure the longest prefix match Radius client is added into Radius policy or remove the Radius client host if it is necessary to use subnet/range.
648
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.