| Description |
This article describes how to handle an issue where users cannot connect to the Wi-Fi and receive the error 'Can’t connect to network'.
|
| Scope | FortiGate v6.4.x, v7.0.x, v7.2.x. |
| Solution |
Description: Wireless client RADIUS authentication failure. Action: ActionRADIUS-auth-failureReasonReserved 0.
diagnose wireless-controller wlac sta_filter <MAC> 2 diagnose debug console timestamp enable diagnose debug application cw_acd 0x7f diagnose debug enable
To disable debugs:
diagnose debug disable
diagnose debug reset
Note: <MAC> is the MAC address of the device connecting to the SSID:
For example:
diagnose wireless-controller wlac sta_filter 2c:4d:54:bd:5d:56 2 diagnose debug console timestamp enable diagnose debug application cw_acd 0x7f diagnose debug enable
v2023-01-12 13:56:05 53365.510 04:ea:56:xx:xx:xx <eh> recv IEEE 802.1X ver=1 type=0 (EAP_PACKET) data len=37 2023-01-12 13:56:05 53365.510 04:ea:56:xx:xx:xx <eh> RADIUS message (type=0) ==> RADIUS Server code=1 (Access-Request) id=17 len=349 2023-01-12 13:56:05 53365.516 04:ea:56:xx:xx:xx <eh> RADIUS message (type=0) <== RADIUS Server code=3 (Access-Reject) id=17 len=44
If the logs show Access-Reject responses, the issue originates from the RADIUS server, not the FortiGate. It’s also recommended to verify whether authentication failures began after upgrading to firmware versions v7.2.10, v7.4.5, or v7.6.1, which include fixes for the Blast RADIUS vulnerability (CVE-2024-3596).
Related documents: FortiGate v7.2.10 - Release notes Technical Tip: Workaround for Blast RADIUS mitigation behavior in v7.2.11, v7.4.6 and v7.6.1 |
