During troubleshooting, packet captures on ports 1812 and 1813 show no output:

    diagnose sniffer packet any 'port 1812 or 1813' 6 0 l
    interfaces=[any]
    filters=[port 1812 or 1813]

    ...
    0 packets received by filter
    0 packets dropped by kernel

The FortiGate sample configuration is as follows:

config user radius

edit "rad_auth"

set server "fortinet.lab.com"
set secret ENC [hash]

set nas-id-type custom
set nas-id "FGT-LAB"
set acct-interim-interval 300
set secondary-server "fortinet22.lab.com"
set secondary-secret ENC [hash]

config accounting-server

edit 1

set status enable
set server "fortinet22.lab.com"
set secret ENC [hash]

next
edit 2

set status enable
set server "fortinet.lab.com"
set secret ENC [hash]

next

end

next

end

config wireless-controller vap

edit "SSID-TEST"

set ssid "SSID-TEST"
set security wpa2-only-enterprise
set auth radius
set radius-server "rad_auth"
set local-bridging enable
set schedule "always"
set vlanid 530
set alias "test"

next

end

Because the sniffer does not return any packets, additional debug is required:

diagnose debug reset

diagnose debug disable

diagnose debug application wpad 7

diagnose debug enable

To disable the debug processes after collecting data:

diagnose debug reset

diagnose debug disable

The following error message is observed:

EAP: EAP entering state INITIALIZE
: CTRL-EVENT-EAP-STARTED c6:de:40:14:18:cf
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: no identity known yet -> CONTINUE
EAP: EAP entering state PROPOSE_METHOD
EAP: getNextMethod: vendor 0 type 1
: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 248
EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
64133.156 HOSTAPD: <0>10.164.2.155:5246<1-4> sending E2C_8021X (160 bytes) to_ipc 1 children 0
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=248 respMethod=1 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
EAP-Identity: Peer identity - hexdump_ascii(len=58):
0000: 32 4F 42 35 74 39 50 6E 53 59 73 78 52 48 31 49 2OB5t9PnSYsxRH1I
0010: 47 34 6C 61 45 63 30 40 77 6C 61 6E 2E 6D 6E 63 G4laEc0@wlan.mnc
0020: 32 38 30 2E 6D 63 63 33 31 30 2E 33 67 70 70 6E 280.mcc310.3gppn
0030: 65 74 77 6F 72 6B 2E 6F 72 67 etwork.org
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: -> PASSTHROUGH
EAP: EAP entering state INITIALIZE_PASSTHROUGH
EAP: EAP entering state AAA_REQUEST
EAP: EAP entering state AAA_IDLE
64133.161  RADIUS: Authentication server :1812
64133.161  DNS req ipv6 0x3ad1 'fortinet.lab.com'

64133.161  DNS maintainer started.

64133.161  RADIUS: Error opening radius socket (Address family not supported by protocol)
64133.161  HOSTAPD: <0>10.164.2.155:5246<1-4> RADIUS No authentication server configured
64133.165  HOSTAPD: <0>10.164.2.35:5246<1-4> Received C2E_80211_MGMT (163 bytes) from /tmp/wCwAcSocket

Workaround:

Configure the IPv4 address as a RADIUS server. 

config user radius

edit "rad_auth"

set server "10.10.12.11"
set secret ENC [hash]

set nas-id-type custom
set nas-id "FGT-LAB"
set acct-interim-interval 300
set secondary-server "10.10.12.15"
set secondary-secret ENC [hash]

config accounting-server

edit 1

set status enable
set server "10.10.12.15"
set secret ENC [hash]

next
edit 2

set status enable
set server "10.10.12.11"
set secret ENC [hash]

next

end

next

end

This issue is resolved in FortiOS 7.4.10, 7.6.5, and 8.0.0.

Related article:

Troubleshooting Tip: Useful commands to troubleshoot wireless authentication via RADIUS through Fort...