Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kaurm
Staff
Staff

Created on ‎08-15-2024 06:09 PM

Article Id 329885

Troubleshooting Tip: FortiGate dropping EAPOL/RADIUS traffic

Description

This article describes how to resolve a scenario where the wireless clients are not able to authenticate to the wireless SSID while using the RADIUS-based security.
Scope All FortiGate.
Solution

On the FortiGate, the EAPOL client start message is seen after associating to the SSID, but FortiGate is not forwarding the frame to the radius on behalf of the client which is trying to authenticate.

 

The fnbamd debug output with the MAC showed the following messages:

 

2024-03-08 13:32:41 32057.857 46 xx:xx:xx:xx:xx:xx cwAcStaRbtAdd: I2C_STA_ADD insert sta xx:xx:xx:xx:xx:xx 10.10.9.50/1/0/4
2024-03-08 13:32:41 32057.859 46 xx:xx:xx:xx:xx:xx <cc> STA_CFG_RESP(199) xx:xx:xx:xx:xx:xx <== ws (0-10.10.9.50:5246) rc 0 (Success)
2024-03-08 13:32:41 22761.962 xx:xx:xx:xx:xx:xx <eh> IEEE 802.1X (EAPOL 5B) <== xx:xx:xx:xx:xx:xx ws (0-10.10.9.50:5246) rId 1 wId 0 94:f3:92:e9:d4:f0
2024-03-08 13:32:46 22766.967 xx:xx:xx:xx:xx:xx <eh> IEEE 802.1X (EAPOL 5B) <== xx:xx:xx:xx:xx:xx ws (0-10.10.9.50:5246) rId 1 wId 0 94:f3:92:e9:d4:f0
2024-03-08 13:32:51 22771.981 xx:xx:xx:xx:xx:xx <eh> IEEE 802.1X (EAPOL 5B) <== xx:xx:xx:xx:xx:xx ws (0-10.10.9.50:5246) rId 1 wId 0 94:f3:92:e9:d4:f0
2024-03-08 13:33:03 32078.348 46 xx:xx:xx:xx:xx:xx cwAcKernDelSta,6706 ws (0-10.10.9.50:5246)  xx:xx:xx:xx:xx:xx ret -1
2024-03-08 13:33:03 32078.348 46 xx:xx:xx:xx:xx:xx cwAcProcInputLocalMsg: cwAcKernDataDelSta failed xx:xx:xx:xx:xx:xx  rId 1 wId 0
2024-03-08 13:33:03 32078.348 46 xx:xx:xx:xx:xx:xx <dc> STA del xx:xx:xx:xx:xx:xx ws (0-10.10.9.50:5246) vap RCA-Corp rId 1 wId 0
2024-03-08 13:33:03 32078.348 46 xx:xx:xx:xx:xx:xx cwAcProcInputLocalMsg C2C_STA_DEL_WTP wl RCA-Corp wId 0 sec 6
2024-03-08 13:33:03 32078.349 46 xx:xx:xx:xx:xx:xx <ih> IEEE 802.11 mgmt::disassoc ==> xx:xx:xx:xx:xx:xx ws (0-10.10.9.50:5246) vap RCA-Corp rId 1 wId 0 94:f3:92:e9:d4
:f0
2024-03-08 13:33:03 22783.349 xx:xx:xx:xx:xx:xx <eh>     ***WPA_PTK xx:xx:xx:xx:xx:xx DISCONNECTED***
2024-03-08 13:33:03 32078.349 46 xx:xx:xx:xx:xx:xx <cc> STA_CFG_REQ(200) sta xx:xx:xx:xx:xx:xx del ==> ws (0-10.10.9.50:5246) rId 1 wId 0

 

In addition, the PCAP was showing the only start traffic and no request packets. Therefore, the EAPOL exchange didn't complete.

 

kaurm_3-1722603485059.png

 

kaurm_4-1722603485083.png

 

2024-03-19 12:26:09 74864.663 46 xx:xx:xx:xx:xx:xx<cc> STA_CFG_REQ(77) sta xx:xx:xx:xx:xx:xxdel ==> ws (0-10.10.9.50:5246) rId 1 wId 0
2024-03-19 12:26:09 84688.664 2024-03-19 12:26:09 74864.664 46 xx:xx:xx:xx:xx:xx<cc> STA del xx:xx:xx:xx:xx:xxvap RCA-Corp ws (0-10.10.9.50:5246) rId 1 wId 0 94:f3:9
2:e9:d4:f0 sec WPA2 RADIUS action del_by_wtp reason 201

 

The PMF option was set to optional on the SSID:

 

config wireless-controller vap

edit <vap_name>

set pmf {disable | enable | optional}

set pmf-assoc-comeback-timeout <integer>

set pmf-sa-query-retry-timeout <integer>

set okc {disable | enable}

next

end

 

PMF is considered to be enabled when set to optional. See this documentation page for more information.
797
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.