Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jiahoong112
Staff
Staff

Created on ‎09-22-2025 11:59 PM Edited on ‎09-28-2025 11:21 PM By Community Manager

Article Id 411791

Troubleshooting Tip: EAP-TLS, WPA2-Enterprise, 802.1X authentication is failing with FQDN RADIUS server

Description

This article describes the case where EAP-TLS, WPA2-Enterprise, and 802.1X authentication fail when the RADIUS server is configured in the form of an FQDN.

 

When FortiAuthenticator Cloud is used, only the FQDN of the FortiAuthenticator Cloud instance can be used.
Scope FortiOS v7.4.7, v7.4.8, v7.6.3, v7.6.4.
Solution

In this case, a WPA2-Enterprise (uses 802.1X authentication) SSID with EAP-TLS certificate authentication method is used.

 

  1. RADIUS Server configuration. RADIUS connectivity to FortiAuthenticator Cloud uses RADIUS over TLS on TCP port 2083. The connection to the radius server is successful, and the username/password can be authenticated against it successfully.

 

jiahoong112_0-1758438234408.png

 

jiahoong112_1-1758438234411.png

 

  1. SSID configuration: Ensure the Security mode used is WPA2-Enterprise and the Authentication is RADIUS Server.

 

jiahoong112_2-1758438234416.png

 

Attempt to connect to the WiFi SSID is unsuccessful:

 

jiahoong112_3-1758438234419.png

 

Running the WPAD 7 debug in the FortiGate CLI results in the following:

 

diagnose debug application wpad 7

diagnose debug enable

 

<truncated>

 

65080.972 HOSTAPD: <0>192.168.1.112:5246<1-0>  STA c8:8a:9a:5f:18:c4 IEEE 802.1X: STA identity <redact>

Encapsulating EAP message into a RADIUS packet

65080.973 RADIUS: Authentication server :2083

65080.973 DNS req ipv6 0x201f '<redact>.fortitrustid.forticloud.com'65080.973 DNS maintainer started.65080.973 RADIUS: tcps_open() failed

65080.974 HOSTAPD: <0><redacted-ip>:5246<1-0>  RADIUS No authentication server configured

65081.217 got IPv6 DNS reply, req-id=0x201f65081.217 DNS req 0x1f is removed. Current total: 265081.217 DNS maintainer stopped.Resolved <redact>.fortitrustid.forticloud.com to :: [i=0]

IEEE 802.1X: c8:8a:9a:5f:18:c4 - (EAP) retransWhile --> 0

 

<truncated>

 

To disable the debug:

 

diagnose debug disable

 

During the 802.1X authentication, FortiGate can be seen trying to perform IPv6 DNS resolution against the FQDN of the RADIUS server instead of IPv4. This will fail because there is no IPv6 IP for the FQDN, and IPv4 DNS resolution is supposed to be used in this case. This is a known issue that is currently being investigated.

 

Workaround:

Create a DNS database entry on the FortiGate.

 

config system dns-database

     edit fortitrust

          set domain forticloud.com

          config dns-entry

               edit 1

                      set hostname fortitrust.forticloud.com

                      set ip <IP address>

               next

         end

      next

end                   

 

This will allow the FortiGate to use the existing IPv4 address on the DNS database; the issue here is that when the FQDN resolves to a dynamic IP address.
296
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.