An EAP Server certificate is mandatory when the authentication method is configured for 802.1x. The EAP Server certificate configuration can be found via the following path in the dashboard: Authentication -> RADIUS Service -> Certificates.

If the authentication has been working all the while and happens to stop working all of a sudden, check the RADIUS debug log via the following link: https://<FAC_IP/FQDN>/debug/

The debug log would provide detailed information about the actual root cause of an authentication attempt failure. In the EAP server certificate that has expired, the following logs will be shown:
2024-12-07T08:38:30.170116+08:00 FAC01 radiusd[9140]: (5929453) eap: Expiring EAP session with state 0x001266ce07ea7ffd 2024-12-07T08:38:30.170128+08:00 FAC01 radiusd[9140]: (5929453) eap: Finished EAP session with state 0x577c0a765dc2078c 2024-12-07T08:38:30.170138+08:00 FAC01 radiusd[9140]: (5929453) eap: Previous EAP request found for state 0x577c0a765dc2078c, released from the list 2024-12-07T08:38:30.170151+08:00 FAC01 radiusd[9140]: (5929453) eap: Peer sent packet with method EAP TLS (13) 2024-12-07T08:38:30.170158+08:00 FAC01 radiusd[9140]: (5929453) eap: Calling submodule eap_tls to process data 2024-12-07T08:38:30.170192+08:00 FAC01 radiusd[9140]: (5929453) eap_tls: (TLS) EAP Peer says that the final record size will be 24 bytes 2024-12-07T08:38:30.170199+08:00 FAC01 radiusd[9140]: (5929453) eap_tls: (TLS) EAP Got all data (24 bytes) 2024-12-07T08:38:30.170238+08:00 FAC01 radiusd[9140]: (5929453) eap_tls: (TLS) recv TLS 1.3 Alert, fatal certificate_expired 2024-12-07T08:38:30.170252+08:00 FAC01 radiusd[9140]: (5929453) eap_tls: (TLS) The client is informing us that it believes that the server certificate has expired. Either renew the server certificate, or check the time on the client. <---------- 2024-12-07T08:38:30.170261+08:00 FAC01 radiusd[9140]: (5929453) eap_tls: ERROR: (TLS) Alert read:fatal:certificate expired 2024-12-07T08:38:30.170281+08:00 FAC01 radiusd[9140]: (5929453) eap_tls: ERROR: (TLS) Error in fragmentation logic - code 1 2024-12-07T08:38:30.170302+08:00 FAC01 radiusd[9140]: (5929453) eap_tls: ERROR: (TLS) Failed reading application data from OpenSSL: error:0A000415:SSL routines::sslv3 alert certificate expired 2024-12-07T08:38:30.170314+08:00 FAC01 radiusd[9140]: (5929453) eap_tls: ERROR: [eaptls process] = fail 2024-12-07T08:38:30.170328+08:00 FAC01 radiusd[9140]: (5929453) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed 2024-12-07T08:38:30.170346+08:00 FAC01 radiusd[9140]: (5929453) eap: Sending EAP Failure (code 4) ID 190 length 4
Referring to the line being pointed out in the example, it is indicating that the EAP Server Certificate has expired.
To resolve this issue, renew the certificate with a valid expiry date and the authentication will start working. If default factory certificates are used, refer to the following link to renew the certificate: Troubleshooting-Tip-Fix-an-expired-default-server-certificate
If the certificate has been signed by an external Certificate Authority (public/private), the certificate renewal has to be processed by the respective party and be imported into FortiAuthenticator after the certificate has been renewed.
|