This article describes how to handle an issue where users cannot connect to the Wi-Fi and receive the error 'Can’t connect to network'.

1. Confirm the log for Wi-Fi and FortiAP logs:
   

Description: Wireless client RADIUS authentication failure.

Action: ActionRADIUS-auth-failureReasonReserved 0.

2. Run the Wi-Fi debug logs:

diagnose wireless-controller wlac sta_filter <MAC> 2

diagnose debug console timestamp e

diagnose debug application cw_acd 0x7f

diagnose debug enable

Note: <MAC> is the MAC address of the device connecting to the SSID:

For example:

diagnose wireless-controller wlac sta_filter 2c:4d:54:bd:5d:56 2

diagnose debug console timestamp e

diagnose debug application cw_acd 0x7f

diagnose debug enable

3. Confirm if the following output from the debug is visible:

    

v2023-01-12 13:56:05 53365.510 04:ea:56:xx:xx:xx <eh> recv IEEE 802.1X ver=1 type=0 (EAP_PACKET) data len=37

2023-01-12 13:56:05 53365.510 04:ea:56:xx:xx:xx <eh> RADIUS message (type=0) ==> RADIUS Server code=1 (Access-Request) id=17 len=349

2023-01-12 13:56:05 53365.516 04:ea:56:xx:xx:xx <eh> RADIUS message (type=0) <== RADIUS Server code=3 (Access-Reject) id=17 len=44

If the logs show Access-Reject responses, the issue originates from the RADIUS server, not the FortiGate.

It’s also recommended to verify whether authentication failures began after upgrading to firmware versions v7.2.10, v7.4.5, or v7.6.1, which include fixes for the Blast RADIUS vulnerability (CVE-2024-3596).
Related documentation provides further details, solutions, and workarounds.

Related documents:

• Troubleshooting Tip: Radius connection issue with Microsoft NPAS after FortiGate upgraded to v7.2.10...
• FortiGate v7.2.10 - Release notes
• Technical Tip: Workaround for Blast RADIUS mitigation behavior in v7.2.11, v7.4.6 and v7.6.1
• Troubleshooting Tip: RADIUS authentication troubleshooting