Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jcovarrubias
Staff
Staff

Created on ‎10-07-2025 07:14 AM

Article Id 405539

Troubleshooting Tip: FortiLink: Interpreting FortiSwitch 802.1X logs, successful vs failed (bad password) authentication

Description This article explains the most important logs to identify a bad password in 802.1x user-based authentication in a switch managed by the FortiGate (FortiLink).
Scope FortiSwitch (FortiLink), FortiGate.
Solution

Review of the Authentication Process.

  1. Supplicant (endpoint) sends EAPOL-Start / EAP-Response-Identity on the access port.
  2. FortiSwitch (authenticator) builds EAP-Request and proxies the EAP payload to the RADIUS server (often via a local auth agent fnbamd).
  3. RADIUS server replies with ACCESS_CHALLENGE (inner EAP methods like PEAP/EAP-TTLS) and then ACCESS_ACCEPT or ACCESS_REJECT after inner authentication (e.g., MS-CHAPv2).
  4. On ACCESS_ACCEPT, the switch sets the port to authorized, applies VLAN/filters from RADIUS attributes; on ACCESS_REJECT or timeout, the port remains unauthorized or is reverted.
  5. Common failure causes: wrong username/password (NT-Response invalid), RADIUS misconfiguration, time sync, certificate, or inner-method mismatch.

 

Minimum configuration required.

 

config user radius     <-- RADIUS configuration.
    edit "Radius1"
        set server "x.x.x.x"
        set secret ENC <secret>
    next
end

 

config user group <-- Create a group that uses the RADIUS Server.
    edit "Radius-Grp1"
        set member "Radius1"
    next
end

 

config switch-controller security-policy 802-1X
    edit "802-1X-policy-default"           <-- Create policy for DOT1X authentication.
        set security-mode 802.1X
        set user-group "Radius-Grp1"
        set mac-auth-bypass enable    
        .....
    next
end

 

config switch-controller managed-switch
    edit S248EPTF1800XXXX
        config ports                              <-- Configure port for DOT1X authentication.
            edit "port6"
                set port-security-policy "802-1X-policy-default"
            next
        end
    next
end

 

Debugs used:

Because the FortiSwitch is ultimately responsible for proxying the EAP frames to the RADIUS Server. The real-time debugs must be executed directly on the FortiSwitch and not via the FortiGate CLI.

 

  • FortiSwitch debugs:

 

diagnose debug application eap_proxy -1

diagnose debug application fnbamd -1

diagnose debug application wiredap -1

diagnose debug console timestamp enable

 

The following are the most relevant logs for a user who has successfully authenticated. Please note that the output of the 3 debugs enabled is verbose; some lines are not copied below.

 

2025-07-22 14:15:48 FTNT_FSW: EAP packet received ... vlanid=171 ... on port14
<output omitted>
2025-07-22 14:15:48 learn EAP identity STA identity 'user1'
2025-07-22 14:15:49 __fnbamd_rad_send-Sent radius req ... code=ACCESS_REQUEST id=7 ... user="user1" using MS-CHAPv2
2025-07-22 14:15:49 fnbamd_radius.c[2319] ... RADIUS resp code ACCESS_ACCEPT
2025-07-22 14:15:49 EAP-MSCHAPV2: Correct user password
<output omitted>
2025-07-22 14:15:52 EAP-PEAP: TLV Result - Success - requested Success
2025-07-22 14:15:52 EAP: EAP entering state SUCCESS
2025-07-22 14:15:52 IEEE 802.1X: 74:86:7a:12:a8:67 BE_AUTH entering state SUCCESS
2025-07-22 14:15:52 FTNT_FSW: Port STA: 74:86:7a:12:a8:67 authorized with ingress-filters: 1
2025-07-22 14:15:52 FTNT_FSW: setting port14 authorized

 

  1. EAP identity learnt as 'user1' -> switch sent a RADIUS ACCESS_REQUEST for that identity.
  2. RADIUS responded ACCESS_ACCEPT, and MS-CHAPv2 validation succeeded ("Correct user password").
  3. EAP-PEAP inner tunnel completed (Phase1 -> Phase2 -> TLV Success), EAP state transitioned to SUCCESS, and the switch authorized the STA and port.
  4. Final state shows port14 authorized and VLAN/native settings applied.

  

025-07-22 14:28:31 learn EAP identity STA identity 'user2'
2025-07-22 14:28:31 __fnbamd_rad_send-Sent radius req ... code=ACCESS_REQUEST id=10 ... user="user2" using MS-CHAPv2
2025-07-22 14:28:32 fnbamd_radius.c[2319] ... RADIUS resp code ACCESS_REJECT
2025-07-22 14:28:32 fnbamd_auth.c[2461] ... Result for radius svr 10.0.2.200(0) is FNBAM_DENIED
2025-07-22 14:28:32 EAP-MSCHAPV2: Invalid NT-Response
2025-07-22 14:28:32 EAP-PEAP: Phase2 method failed
<output omitted>
2025-07-22 14:28:27 EAP: EAP entering state TIMEOUT_FAILURE
2025-07-22 14:28:58 IEEE 802.1X: 00:09:0f:0e:0e:0e BE_AUTH entering state TIMEOUT
2025-07-22 14:28:58 FTNT_FSW: STA 00:09:0f:0e:0e:0e ftnt_fswitch_driver_sta_remove on port14 : prev_auth:0:
2025-07-22 14:28:58 FTNT_FSW: setting port14 un authorized

 

Interpretation, failed flow:

  1. EAP identity learnt as 'user2' -> switch sent a RADIUS ACCESS_REQUEST for that identity.
  2. RADIUS returned ACCESS_REJECT (FNBAM_DENIED), and fnbamd reports 'Invalid NT-Response', indicating the MS-CHAPv2 NT-Response did not match the stored credential (typical bad password or mismatch in client-side response).
  3. EAP-PEAP Phase 2 failed, and the EAP state timed out; The switch removed the STA and left the port unauthorized.

 
128
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.