Topology:

The remote wireless user is using EAP-TLS against a Radius server remotely. IPsec VPN in between.

Topology

In this example, FortiGate B is acting as wireless controller for the on-site FortiAP.

With that configuration, the EAPOL connection travels on the CAPWAP data channel (UDP 5247) and terminates on FortiGate B. FortiGate B is encapsulates the EAP messages in RADIUS packets and sends them over the IPsec tunnel. FortiGate A sees this as forward (Data) traffic and processes it according to local routing and firewall policies.

Debug on FortiGate B: to see the authentication process, enable debugs for the remote station mac aa:bb:cc:e6:c2:c9:

diagnose wireless-controller wlac sta_filter clear
diagnose wireless-controller wlac sta_filter aa:bb:cc:e6:c2:c9 255
diagnose debug console timestamp enable
diagnose debug enable

diagnose wireless-controller wlac sta_filter
STA Filter Index 0/1 sta aa:bb:cc:e6:c2:c9 log-enabled 255
diagnose debug enable

2024-08-07 14:46:39 01589.157 aa:bb:cc:e6:c2:c9 <ih> IEEE 802.11 mgmt::assoc_req <== aa:bb:cc:e6:c2:c9 ws (1-10.136.8.131:5246) ...
...
2024-08-07 14:46:39 01589.158 aa:bb:cc:e6:c2:c9 <ih> IEEE 802.11 mgmt::assoc_resp ==> aa:bb:cc:e6:c2:c9 ws (1-10.136.8.131:5246) ...
..
2024-08-07 14:47:17 01628.998 aa:bb:cc:e6:c2:c9 cwd_sta_idle_timeout_notify sta aa:bb:cc:e6:c2:c9
2024-08-07 14:47:17 01628.999 aa:bb:cc:e6:c2:c9 cwAcProcInputLocalMsg: cwAcKernDataDelSta failed aa:bb:cc:e6:c2:c9 rId 0 wId 0
2024-08-07 14:47:17 01628.999 aa:bb:cc:e6:c2:c9 <dc> STA del aa:bb:cc:e6:c2:c9 ws (1-10.136.8.131:5246) vap GRUPO test
2024-08-07 14:47:17 01628.999 aa:bb:cc:e6:c2:c9 cwAcProcInputLocalMsg D2C_STA_DEL wl GRUPO test
2024-08-07 14:47:17 01628.999 aa:bb:cc:e6:c2:c9 <ih> IEEE 802.11 mgmt::disassoc ==> aa:bb:cc:e6:c2:c9 ...
..... 0 dd:ee:ff:05:91:08 sec WPA2 RADIUS action idle_timeout reason 0
2024-08-07 14:47:18 01628.000 aa:bb:cc:e6:c2:c9 cwAcStaRbtDel: D2C/C2C_STA_DEL remove sta aa:bb:cc:e6:c2:c9 

It can be observed that the client associates with the FortiAP successfully and then starts its authentication process.

FortiGate B Troubleshooting:

1. Ensure system time on FortiGate B and remote RADIUS server are accurate.
2. Increase remoteauthtimeout on FortiGate B:
   

   config system global

   set remoteauthtimeout 60 

   end

   
   
3. Configure the IPsec tunnel with fragmentation-method pre-encapsulation and ensure the MTU is low enough that ESP packets carrying the RADIUS traffic will not be fragmented by ISP devices. See the article Technical Tip: IP Packet fragmentation over IPSec tunnel interface explained. This is especially relevant if the RADIUS server connection on FortiGate B is configured with the default UDP transport-method.
4. Take packet sniffers for UDP port 5247 and and RADIUS (port 1812 or 2083) traffic to observe the authentication attempt. Note UDP 5247 may include a large volume of traffic from other wireless clients. To further isolate the EAP traffic on this channel, see the article Troubleshooting Tip: Packet capture and FortiOS diagnostics to observe EAP authentication

FortiGate A Troubleshooting:

In this scenario, FortiGate A's initial role is restricted to accurately passing RADIUS traffic between FortiGate B and the server. This is true even if the wireless client's internet access will ultimately pass through FortiGate A after authentication.

1. Configure the IPsec tunnel with fragmentation-method pre-encapsulation and ensure the MTU is low enough that ESP packets carrying the RADIUS traffic will not be fragmented by ISP devices.
2. On the rule that allows RADIUS traffic, disable auto-asic-offload to ensure all packets can be captured. If the firewall policy handles a large volume of traffic, it is recommended to instead configure a dedicated policy for the RADIUS traffic from FortiGate B, and disable auto-asic-offload on this policy only. If FortiGate B uses TCP or TLS transport-method to RADIUS server, adjust the tcp-mss values to be lower. 

config firewall policy

edit <index>

tcp-mss-sender 1400
tcp-mss-receiver 1400

set auto-asic-offload disable

next

end

3. Clear old sessions to force the new sessions to take policy modifications:

diagnose sys session filter policy <index>
diagnose sys session clear

4. Take RADIUS (port 1812 or 2083) packet sniffers:

diagnose sniffer packet any 'port 1812 or 2083' 6 0 l

For example, a packet sniffer on FortiGate B may show large RADIUS Access-Requests, and the FortiGate A packet sniffer may be missing these packets. This indicates a likely IPsec Tunnel fragmentation issue.

Note:

If FortiGate A is acting as a wireless controller for the Remote Site B FortiAP, the troubleshooting process is mirrored- packet sniffers and firewall policies should be checked on FortiGate B to ensure there is no issue with the CAPWAP traffic terminating on the FortiAP and on FortiGate A. FortiGate A troubleshooting should focus on the local EAP and RADIUS messages. In both cases, CAPWAP and ESP fragmentation should be prioritized as possible sources of packet loss.