Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
avalle_FTNT
Staff
Staff

Created on ‎07-03-2017 04:41 PM Edited on ‎03-14-2025 12:33 AM By Community Manager

Article Id 196660

Troubleshooting Tip: Debugging a wireless client connection issue using client MAC address

Description

 

This article explains how to troubleshoot FortiWifi client connections using the client MAC address.

 

Scope

 

FortiGate, FortiAP.

 

Solution

 

These commands can help to verify connection issues in a wireless environment:

 

diagnose debug reset

 

Verify if there is a parameter configured:

 

diagnose wireless-controller wlac sta_filter

 

To delete filters:

 

diagnose wireless-controller wlac sta_filter clear

 

Add timestamp on the debug output:

 

diagnose debug console timestamp enable

 

Add MAC client filter:

 

Important Note:

If the FortiGate is in multi-vdom mode, these commands can only be executed in the Global VDOM. Executing these commands in other VDOMs is not possible. 

 

diagnose wireless-controller wlac sta_filter <MAC> <verbose>
diagnose wireless-controller wlac sta_filter 2c:4d:54:bd:5d:56 255
diagnose debug enable

 

Connect the PC on FortiWifi/FortiAP to the correct SSID until the connection fails.

 

 Stop debugging with:

 

diagnose debug disable

 

Example:

 

83689.180 2c:4d:54:bd:5d:56 <ih> IEEE 802.11 mgmt::assoc_req <== 2c:4d:54:bd:5d:56 ws (0-192.168.1.111:5246) vap WiFi rId 0 wId 0 90:6c:ac:39:20:25 <---- SSID
83689.181 2c:4d:54:bd:5d:56 cw_sta_load_chk ws (0-192.168.1.111:5246) rId 0 wId 0 sta 2c:4d:54:bd:5d:56 <------------- client MAC
83689.181 2c:4d:54:bd:5d:56 cw_sta_balancing: ws (0-192.168.1.111:5246) 2c:4d:54:bd:5d:56 enters balancing, rId 0, wId 0, fho 0, apho 0, 5G 0, sta_cnt 0, sta_th 30
83689.181 2c:4d:54:bd:5d:56 cw_sta_balancing: ws (0-192.168.1.111:5246) 2c:4d:54:bd:5d:56 exits balancing, no need
83689.182 2c:4d:54:bd:5d:56 <ih> IEEE 802.11 mgmt::assoc_resp ==> 2c:4d:54:bd:5d:56 ws (0-192.168.1.111:5246) vap WiFi rId 0 wId 0 90:6c:ac:39:20:25
83689.183 2c:4d:54:bd:5d:56 <dc> STA add 2c:4d:54:bd:5d:56 vap WiFi ws (0-192.168.1.111:5246) rId 0 wId 0 bssid 90:6c:ac:39:20:25 NON-AUTH   band 0x8 mimo 1*0
83689.183 2c:4d:54:bd:5d:56 <cc> STA_CFG_REQ(174) sta 2c:4d:54:bd:5d:56 add ==> ws (0-192.168.1.111:5246) rId 0 wId 0
83690.187 2c:4d:54:bd:5d:56 <cc> STA add 2c:4d:54:bd:5d:56 vap WiFi ws (0-192.168.1.111:5246) rId 0 wId 0 90:6c:ac:39:20:25 sec WPA2 PERSONAL auth 0 <---- Authentication type
83690.188 2c:4d:54:bd:5d:56 cwAcStaRbtAdd: I2C_STA_ADD insert sta 2c:4d:54:bd:5d:56 192.168.1.111/0/0/1
83690.193 2c:4d:54:bd:5d:56 <cc> STA_CFG_RESP(174) 2c:4d:54:bd:5d:56 <== ws (0-192.168.1.111:5246) rc 0 (Success)
24220.194 2c:4d:54:bd:5d:56 <eh>     send 1/4 msg of 4-Way Handshake
24220.194 2c:4d:54:bd:5d:56 <eh>     send IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=95 replay cnt 1
24220.194 2c:4d:54:bd:5d:56 <eh> IEEE 802.1X (EAPOL 99B) ==> 2c:4d:54:bd:5d:56 ws (0-192.168.1.111:5246) rId 0 wId 0 90:6c:ac:39:20:25
24220.310 2c:4d:54:bd:5d:56 <eh> IEEE 802.1X (EAPOL 121B) <== 2c:4d:54:bd:5d:56 ws (0-192.168.1.111:5246) rId 0 wId 0 90:6c:ac:39:20:25
24220.310 2c:4d:54:bd:5d:56 <eh>     recv IEEE 802.1X ver=1 type=3 (EAPOL_KEY) data len=117
24220.311 2c:4d:54:bd:5d:56 <eh>     recv EAPOL-Key 2/4 Pairwise replay cnt 1
24220.311 2c:4d:54:bd:5d:56 <eh>     send 3/4 msg of 4-Way Handshake
24220.312 2c:4d:54:bd:5d:56 <eh>     send IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=151 replay cnt 2
24220.312 2c:4d:54:bd:5d:56 <eh> IEEE 802.1X (EAPOL 155B) ==> 2c:4d:54:bd:5d:56 ws (0-192.168.1.111:5246) rId 0 wId 0 90:6c:ac:39:20:25
24220.318 2c:4d:54:bd:5d:56 <eh> IEEE 802.1X (EAPOL 99B) <== 2c:4d:54:bd:5d:56 ws (0-192.168.1.111:5246) rId 0 wId 0 90:6c:ac:39:20:25
24220.319 2c:4d:54:bd:5d:56 <eh>     recv IEEE 802.1X ver=1 type=3 (EAPOL_KEY) data len=95
24220.319 2c:4d:54:bd:5d:56 <eh>     recv EAPOL-Key 4/4 Pairwise replay cnt 2
83690.321 2c:4d:54:bd:5d:56 <dc> STA chg 2c:4d:54:bd:5d:56 vap WiFi ws (0-192.168.1.111:5246) rId 0 wId 0 bssid 90:6c:ac:39:20:25 AUTH
83690.321 2c:4d:54:bd:5d:56 <cc> STA chg 2c:4d:54:bd:5d:56 vap WiFi ws (0-192.168.1.111:5246) rId 0 wId 0 90:6c:ac:39:20:25 sec WPA2 PERSONAL auth 1 ******
83690.322 2c:4d:54:bd:5d:56 <cc> STA_CFG_REQ(175) sta 2c:4d:54:bd:5d:56 add key (len=16) ==> ws (0-192.168.1.111:5246) rId 0 wId 0
83690.325 2c:4d:54:bd:5d:56 <cc> STA_CFG_RESP(175) 2c:4d:54:bd:5d:56 <== ws (0-192.168.1.111:5246) rc 0 (Success)
24220.326 2c:4d:54:bd:5d:56 <eh>     ***pairwise key handshake completed*** (RSN)

 

Related document:

FortiWiFi and FortiAP Configuration Guide > Troubleshooting

21359
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.