Description

This article describes how to solve radius authentication failure for SSID when the radius server is located at the remote side which is connected via IPsec VPN.

Scope

FortiGate.

Solution

Scenario:

There are 2 sides; one side has SSID the other side has the RADIUS server. Users are connecting via SSID and authenticate against the RADIUS server.
2 sides are connected via IPsec VPN.

In cases where users cannot authenticate while connecting to SSID, take packet captures on both FortiGates:

diagnose sniffer packet any 'udp and (port 1812 or port 1813)' 6 0 l

In the packet capture, fragmented IP packets are seen:

Use the setting below on the phase1 interface of the tunnels from both sides:

set ip-fragmentation pre-encapsulation

For details, see Technical Tip: IP Packet fragmentation over IPSec tunnel interface explained.

After the change, user authentication against the RADIUS server will be successful.

Note: Setting a source IP in Radius Server settings may be necessary to ensure traffic to remote RADIUS server can even enter the site-to-site IPsec tunnel.

For details, see Troubleshooting Tip: Unable to communicate with RADIUS server which is hosted in remote end subnet.