Connection with the RADIUS server is unsuccessful:

Debugs show the following errors:

diagnose debug disable

diagnose debug application fnbamd -1

diagnose debug enable

1639] auth_cert_success-id=342768329
[1068] fnbamd_cert_auth_copy_cert_status-req_id=342768329
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 210, req_id=342768329
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 342768329, len=2536
[1584] destroy_auth_cert_session-id=342768329
[1041] fnbamd_cert_auth_uninit-req_id=342768329
[2848] receive_parse_radius_check_response-No response from the RADIUS server.
[2507] handle_req-Rcvd auth_cert req id=342768330, len=1599, opt=8
[983] __cert_auth_ctx_init-req_id=342768330, opt=8
[992] __cert_auth_ctx_init-OCSP resp is found.
[103] __cert_chg_st- 'Init'
[156] fnbamd_cert_load_certs_from_req-3 cert(s) in req.

However, sniffer does not show any packets leaving the FortiGate:

Smough-kvm40# di sniffer packet any " host x.x.x.x and port (1812 or 1813) " 
interfaces=[any]
filters=[ host x.x.x.x and port (1812 or 1813) ]
^C
0 packets received by filter
0 packets dropped by kernel

Make sure the RADIUS port is not blocked and check if the RADIUS port is set to any other port in global settings.

If the RADIUS port is different from the default port (1812 or 1813), it should be configured as the default port 1812. In this example, the RADIUS port is 18121, which is incorrect.

Note: If RADIUS communication is happening at a different port, that port should be configured under the RADIUS configuration as well as under global settings.