Troubleshooting Tip: Troubleshooting connection issue due to expired EAP certificate

kcheng · ‎12-27-2024

Description

This article describes the troubleshooting steps when a user fails to authenticate via the 802.1x method due to the expiry of the EAP certificate.

Scope

FortiAuthenticator.

Solution

An EAP Server certificate is mandatory when the authentication method is configured for 802.1x. The EAP Server certificate configuration can be found via the following path in the dashboard: Authentication -> RADIUS Service -> Certificates.

If the authentication has been working all the while and happens to stop working all of a sudden, check the RADIUS debug log via the following link: https://<FAC_IP/FQDN>/debug/

The debug log would provide detailed information about the actual root cause of an authentication attempt failure. In the EAP server certificate that has expired, the following logs will be shown:

2024-12-07T08:38:30.170116+08:00 FAC01 radiusd[9140]: (5929453) eap: Expiring EAP session with state 0x001266ce07ea7ffd
2024-12-07T08:38:30.170128+08:00 FAC01 radiusd[9140]: (5929453) eap: Finished EAP session with state 0x577c0a765dc2078c
2024-12-07T08:38:30.170138+08:00 FAC01 radiusd[9140]: (5929453) eap: Previous EAP request found for state 0x577c0a765dc2078c, released from the list
2024-12-07T08:38:30.170151+08:00 FAC01 radiusd[9140]: (5929453) eap: Peer sent packet with method EAP TLS (13)
2024-12-07T08:38:30.170158+08:00 FAC01 radiusd[9140]: (5929453) eap: Calling submodule eap_tls to process data
2024-12-07T08:38:30.170192+08:00 FAC01 radiusd[9140]: (5929453) eap_tls: (TLS) EAP Peer says that the final record size will be 24 bytes
2024-12-07T08:38:30.170199+08:00 FAC01 radiusd[9140]: (5929453) eap_tls: (TLS) EAP Got all data (24 bytes)
2024-12-07T08:38:30.170238+08:00 FAC01 radiusd[9140]: (5929453) eap_tls: (TLS) recv TLS 1.3 Alert, fatal certificate_expired
2024-12-07T08:38:30.170252+08:00 FAC01 radiusd[9140]: (5929453) eap_tls: (TLS) The client is informing us that it believes that the server certificate has expired. Either renew the server certificate, or check the time on the client. <----------
2024-12-07T08:38:30.170261+08:00 FAC01 radiusd[9140]: (5929453) eap_tls: ERROR: (TLS) Alert read:fatal:certificate expired
2024-12-07T08:38:30.170281+08:00 FAC01 radiusd[9140]: (5929453) eap_tls: ERROR: (TLS) Error in fragmentation logic - code 1
2024-12-07T08:38:30.170302+08:00 FAC01 radiusd[9140]: (5929453) eap_tls: ERROR: (TLS) Failed reading application data from OpenSSL: error:0A000415:SSL routines::sslv3 alert certificate expired
2024-12-07T08:38:30.170314+08:00 FAC01 radiusd[9140]: (5929453) eap_tls: ERROR: [eaptls process] = fail
2024-12-07T08:38:30.170328+08:00 FAC01 radiusd[9140]: (5929453) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed
2024-12-07T08:38:30.170346+08:00 FAC01 radiusd[9140]: (5929453) eap: Sending EAP Failure (code 4) ID 190 length 4

Referring to the line being pointed out in the example, it is indicating that the EAP Server Certificate has expired.

To resolve this issue, renew the certificate with a valid expiry date and the authentication will start working. If default factory certificates are used, refer to the following link to renew the certificate: Troubleshooting-Tip-Fix-an-expired-default-server-certificate

If the certificate has been signed by an external Certificate Authority (public/private), the certificate renewal has to be processed by the respective party and be imported into FortiAuthenticator after the certificate has been renewed.

Troubleshooting Tip: Troubleshooting connection issue due to expired EAP certificate

You are leaving our website